KEYCLOAK-1150

'iss' should be URL not just realm name

core/src/main/java/org/keycloak/KeycloakSecurityContext.java

@@ -50,7 +50,7 @@ public String getIdTokenString() {
 
     public String getRealm() {
         // Assumption that issuer contains realm name
-        return token.getIssuer();
+        return token.getIssuer().substring(token.getIssuer().lastIndexOf('/') + 1);
     }
 
     // SERIALIZATION

core/src/main/java/org/keycloak/RSATokenVerifier.java

@@ -12,11 +12,11 @@
  * @version $Revision: 1 $
  */
 public class RSATokenVerifier {
-    public static AccessToken verifyToken(String tokenString, PublicKey realmKey, String realm) throws VerificationException {
-        return verifyToken(tokenString, realmKey, realm, true);
+    public static AccessToken verifyToken(String tokenString, PublicKey realmKey, String realmUrl) throws VerificationException {
+        return verifyToken(tokenString, realmKey, realmUrl, true);
     }
 
-    public static AccessToken verifyToken(String tokenString, PublicKey realmKey, String realm, boolean checkActive) throws VerificationException {
+    public static AccessToken verifyToken(String tokenString, PublicKey realmKey, String realmUrl, boolean checkActive) throws VerificationException {
         JWSInput input = null;
         try {
             input = new JWSInput(tokenString);
@@ -35,7 +35,7 @@ public static AccessToken verifyToken(String tokenString, PublicKey realmKey, St
         if (user == null) {
             throw new VerificationException("Token user was null.");
         }
-        if (!realm.equals(token.getIssuer())) {
+        if (!realmUrl.equals(token.getIssuer())) {
             throw new VerificationException("Token audience doesn't match domain.");
 
         }

core/src/test/java/org/keycloak/RSAVerifierTest.java

@@ -72,7 +72,7 @@ public void initTest() {
 
         token = new AccessToken();
         token.subject("CN=Client")
-                .issuer("domain")
+                .issuer("http://localhost:8080/auth/realm")
                 .addAccess("service").addRole("admin");
     }
 
@@ -102,7 +102,7 @@ public void testSimpleVerification() throws Exception {
     }
 
     private AccessToken verifySkeletonKeyToken(String encoded) throws VerificationException {
-        return RSATokenVerifier.verifyToken(encoded, idpPair.getPublic(), "domain");
+        return RSATokenVerifier.verifyToken(encoded, idpPair.getPublic(), "http://localhost:8080/auth/realm");
     }
 
    /*

core/src/test/java/org/keycloak/SkeletonKeyTokenTest.java

@@ -104,7 +104,7 @@ public void testSerialization() throws Exception {
     private AccessToken createSimpleToken() {
         AccessToken token = new AccessToken();
         token.id("111");
-        token.issuer("acme");
+        token.issuer("http://localhost:8080/auth/acme");
         token.addAccess("foo").addRole("admin");
         token.addAccess("bar").addRole("user");
         return token;

docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml

@@ -79,6 +79,30 @@
 
     <section>
         <title>Version specific migration</title>
+        <section>
+            <title>Migrating from 1.1.0.Final to 1.2.0.Beta1</title>
+            <simplesect>
+                <title><literal>iss</literal> in access and id tokens</title>
+                <para>
+                    The value of <literal>iss</literal> claim in access and id tokens have changed from <literal>realm name</literal>
+                    to <literal>realm url</literal>. This is required by OpenID Connect specification. If you're using our adapters
+                    there's no change required, other than if you've been using bearer-only without specifying <literal>auth-server-url</literal>
+                    you have to add it now. If you're using another library (or RSATokenVerifier) you need to make the corresponding
+                    changes when verifying <literal>iss</literal>.
+                </para>
+            </simplesect>
+            <simplesect>
+                <title>OpenID Connect endpoints</title>
+                <para>
+                    To comply with OpenID Connect specification the authentication and token endpoints have been changed
+                    to having a single authentication endpoint and a single token endpoint. As per-spec <literal>response_type</literal>
+                    and <literal>grant_type</literal> parameters are used to select the required flow. The old endpoints (<literal>/realms/{realm}/protocols/openid-connect/login</literal>,
+                    <literal>/realms/{realm}/protocols/openid-connect/grants/access</literal>, <literal>/realms/{realm}/protocols/openid-connect/refresh</literal>,
+                    <literal>/realms/{realm}/protocols/openid-connect/access/codes)</literal> are now deprecated and will be removed
+                    in a future version.
+                </para>
+            </simplesect>
+        </section>
         <section>
             <title>Migrating from 1.1.0.Beta2 to 1.1.0.Final</title>
             <itemizedlist>

examples/demo-template/database-service/src/main/webapp/WEB-INF/keycloak.json

@@ -2,6 +2,7 @@
   "realm" : "demo",
   "resource" : "database-service",
   "realm-public-key" : "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
+  "auth-server-url": "/auth",
   "bearer-only" : true,
   "ssl-required" : "external"
 }

examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/boundary/ProtectedServlet.java

@@ -52,7 +52,7 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Se
         PrintWriter writer = resp.getWriter();
 
         writer.write("Realm: ");
-        writer.write(principal.getKeycloakSecurityContext().getIdToken().getIssuer());
+        writer.write(principal.getKeycloakSecurityContext().getRealm());
 
         writer.write("<br/>User: ");
         writer.write(principal.getKeycloakSecurityContext().getIdToken().getPreferredUsername());

integration/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java

@@ -64,7 +64,7 @@ public AuthOutcome authenticate(HttpFacade exchange)  {
 
     protected AuthOutcome authenticateToken(HttpFacade exchange, String tokenString) {
         try {
-            token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealm());
+            token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealmInfoUrl());
         } catch (VerificationException e) {
             log.error("Failed to verify token", e);
             challenge = challengeResponse(exchange, "invalid_token", e.getMessage());

integration/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java

@@ -54,7 +54,7 @@ public static KeycloakPrincipal<RefreshableKeycloakSecurityContext> getPrincipal
 
         try {
             // Skip check if token is active now. It's supposed to be done later by the caller
-            AccessToken accessToken = RSATokenVerifier.verifyToken(accessTokenString, deployment.getRealmKey(), deployment.getRealm(), false);
+            AccessToken accessToken = RSATokenVerifier.verifyToken(accessTokenString, deployment.getRealmKey(), deployment.getRealmInfoUrl(), false);
             IDToken idToken;
             if (idTokenString != null && idTokenString.length() > 0) {
                 JWSInput input = new JWSInput(idTokenString);

integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java

@@ -311,7 +311,7 @@ protected AuthChallenge resolveCode(String code) {
         refreshToken = tokenResponse.getRefreshToken();
         idTokenString = tokenResponse.getIdToken();
         try {
-            token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealm());
+            token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealmInfoUrl());
             if (idTokenString != null) {
                 JWSInput input = new JWSInput(idTokenString);
                 try {

integration/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java

@@ -107,7 +107,7 @@ public boolean refreshExpiredToken(boolean checkActive) {
         String tokenString = response.getToken();
         AccessToken token = null;
         try {
-            token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealm());
+            token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealmInfoUrl());
             log.debug("Token Verification succeeded!");
         } catch (VerificationException e) {
             log.error("failed verification of token");

integration/adapter-core/src/main/java/org/keycloak/adapters/jaas/AbstractKeycloakLoginModule.java

@@ -173,7 +173,7 @@ public boolean logout() throws LoginException {
 
 
     protected Auth bearerAuth(String tokenString) throws VerificationException {
-        AccessToken token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealm());
+        AccessToken token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealmInfoUrl());
 
         boolean verifyCaller;
         if (deployment.isUseResourceRoleMappings()) {

integration/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java

@@ -193,7 +193,7 @@ private void parseAccessToken(AccessTokenResponse tokenResponse) throws Verifica
         refreshToken = tokenResponse.getRefreshToken();
         idTokenString = tokenResponse.getIdToken();
 
-        token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealm());
+        token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealmInfoUrl());
         if (idTokenString != null) {
             JWSInput input = new JWSInput(idTokenString);
             try {

services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java

@@ -59,6 +59,7 @@ public class OIDCLoginProtocol implements LoginProtocol {
     public static final String PROMPT_PARAM = "prompt";
     public static final String LOGIN_HINT_PARAM = "login_hint";
     public static final String LOGOUT_REDIRECT_URI = "OIDC_LOGOUT_REDIRECT_URI";
+    public static final String ISSUER = "iss";
 
     private static final Logger log = Logger.getLogger(OIDCLoginProtocol.class);
 

services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java

@@ -314,7 +314,7 @@ protected AccessToken initToken(RealmModel realm, ClientModel client, UserModel
         token.audience(client.getClientId());
         token.issuedNow();
         token.issuedFor(client.getClientId());
-        token.issuer(realm.getName());
+        token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER));
         if (session != null) {
             token.setSessionState(session.getId());
         }

services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java

@@ -223,6 +223,7 @@ private void createClientSession() {
         clientSession.setNote(ClientSessionCode.ACTION_KEY, KeycloakModelUtils.generateCodeSecret());
         clientSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, responseType);
         clientSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, redirectUriParam);
+        clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()));
 
         if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state);
         if (scope != null) clientSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope);

services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java

@@ -29,6 +29,7 @@
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.managers.ClientSessionCode;
 import org.keycloak.services.resources.Cors;
+import org.keycloak.services.resources.flows.Urls;
 
 import javax.ws.rs.Consumes;
 import javax.ws.rs.OPTIONS;
@@ -319,6 +320,7 @@ public Response buildResourceOwnerPasswordCredentialsGrant() {
 
         ClientSessionModel clientSession = sessions.createClientSession(realm, client);
         clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL);
+        clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()));
 
         TokenManager.attachClientSession(userSession, clientSession);
 

services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java

@@ -39,6 +39,7 @@
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.managers.EventsManager;
 import org.keycloak.services.resources.Cors;
+import org.keycloak.services.resources.flows.Urls;
 
 import javax.ws.rs.Consumes;
 import javax.ws.rs.FormParam;
@@ -52,6 +53,7 @@
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.Status;
+import javax.ws.rs.core.UriInfo;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -66,6 +68,9 @@ public class UserInfoEndpoint {
     @Context
     private HttpResponse response;
 
+    @Context
+    private UriInfo uriInfo;
+
     @Context
     private KeycloakSession session;
 
@@ -114,7 +119,7 @@ private Response issueUserInfo(String tokenString) {
 
         AccessToken token = null;
         try {
-            token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), realm.getName());
+            token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()));
         } catch (Exception e) {
             throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Token invalid", Status.FORBIDDEN);
         }

services/src/main/java/org/keycloak/protocol/oidc/endpoints/ValidateTokenEndpoint.java

@@ -15,6 +15,7 @@
 import org.keycloak.protocol.oidc.TokenManager;
 import org.keycloak.representations.AccessToken;
 import org.keycloak.services.ErrorResponseException;
+import org.keycloak.services.resources.flows.Urls;
 
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
@@ -68,7 +69,7 @@ public Response validateAccessToken(@QueryParam("access_token") String tokenStri
         event.event(EventType.VALIDATE_ACCESS_TOKEN);
         AccessToken token = null;
         try {
-            token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), realm.getName());
+            token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()));
         } catch (Exception e) {
             Map<String, String> err = new HashMap<String, String>();
             err.put(OAuth2Constants.ERROR, OAuthErrorException.INVALID_GRANT);

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

@@ -32,6 +32,7 @@
 import org.keycloak.services.resources.LoginActionsService;
 import org.keycloak.services.resources.RealmsResource;
 import org.keycloak.services.resources.flows.Flows;
+import org.keycloak.services.resources.flows.Urls;
 import org.keycloak.services.util.CookieHelper;
 import org.keycloak.services.validation.Validation;
 import org.keycloak.util.Time;
@@ -192,12 +193,12 @@ public static Response finishBrowserLogout(KeycloakSession session, RealmModel r
     }
 
 
-    public static AccessToken createIdentityToken(RealmModel realm, UserModel user, UserSessionModel session) {
+    public static AccessToken createIdentityToken(RealmModel realm, UserModel user, UserSessionModel session, String issuer) {
         AccessToken token = new AccessToken();
         token.id(KeycloakModelUtils.generateId());
         token.issuedNow();
         token.subject(user.getId());
-        token.issuer(realm.getName());
+        token.issuer(issuer);
         if (session != null) {
             token.setSessionState(session.getId());
         }
@@ -209,7 +210,8 @@ public static AccessToken createIdentityToken(RealmModel realm, UserModel user,
 
     public static void createLoginCookie(RealmModel realm, UserModel user, UserSessionModel session, UriInfo uriInfo, ClientConnection connection) {
         String cookiePath = getIdentityCookiePath(realm, uriInfo);
-        AccessToken identityToken = createIdentityToken(realm, user, session);
+        String issuer = Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName());
+        AccessToken identityToken = createIdentityToken(realm, user, session, issuer);
         String encoded = encodeToken(realm, identityToken);
         boolean secureOnly = realm.getSslRequired().isRequired(connection);
         int maxAge = NewCookie.DEFAULT_MAX_AGE;
@@ -443,7 +445,7 @@ protected static void isEmailVerificationRequired(RealmModel realm, UserModel us
 
     protected AuthResult verifyIdentityToken(KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, boolean checkActive, String tokenString, HttpHeaders headers) {
         try {
-            AccessToken token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), realm.getName(), checkActive);
+            AccessToken token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()), checkActive);
             if (checkActive) {
                 if (!token.isActive() || token.getIssuedAt() < realm.getNotBefore()) {
                     logger.debug("identity cookie expired");

services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java

@@ -140,7 +140,7 @@ protected AdminAuth authenticateRealmAdminRequest(HttpHeaders headers) {
         } catch (IOException e) {
             throw new UnauthorizedException("Bearer token format error");
         }
-        String realmName = token.getIssuer();
+        String realmName = token.getIssuer().substring(token.getIssuer().lastIndexOf('/') + 1);
         RealmManager realmManager = new RealmManager(session);
         RealmModel realm = realmManager.getRealmByName(realmName);
         if (realm == null) {

services/src/main/java/org/keycloak/services/resources/flows/Urls.java

@@ -158,6 +158,10 @@ public static UriBuilder loginUsernameReminderBuilder(URI baseUri) {
         return requiredActionsBase(baseUri).path(LoginActionsService.class, "usernameReminder");
     }
 
+    public static String realmIssuer(URI baseUri, String realmId) {
+        return realmBase(baseUri).path("{realm}").build(realmId).toString();
+    }
+
     private static UriBuilder realmBase(URI baseUri) {
         return UriBuilder.fromUri(baseUri).path(RealmsResource.class);
     }

testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java

@@ -225,7 +225,7 @@ else if (clientId != null) {
 
     public AccessToken verifyToken(String token) {
         try {
-            return RSATokenVerifier.verifyToken(token, realmPublicKey, realm);
+            return RSATokenVerifier.verifyToken(token, realmPublicKey, baseUrl + "/realms/" + realm);
         } catch (VerificationException e) {
             throw new RuntimeException("Failed to verify token", e);
         }