External to Internal Token Exchange validation behavior with JWT subject_token_type does not work as described within the documentation #14922
Labels
area/token-exchange
help wanted
kind/bug
Categorizes a PR related to a bug
priority/normal
status/auto-bump
team/core-clients
Describe the bug
Token exchanges with JWT as subject_token_type always attempt to validate via the userinfo endpoint instead of JWT signature validation, except when the userinfo endpoint is explicitly disabled.
I am wondering if this is working as intended, or has been documented wrong.
Version
19.0.2
Expected behavior
From the Keycloak docs:
Actual behavior
When a token with subject_token_type urn:ietf:params:oauth:token-type:jwt is sent, Keycloak attempts to make a validation with the user info endpoint except for when the user info endpoint is explicitly disabled on the Identity Provider.
How to Reproduce?
Anything else?
I bumped into this bug because I am using an OIDC Identity Provider that does not completely implement the OIDC specification. Specifically, they do not support calling the user info endpoint with an OAuth 2.0 Access Token. They only support a JWT for some reason.
It seems that Keycloak always calls the user info endpoint with the OAuth 2.0 Access Token, which results in errors when attempting token exchanges (eventhough according to the documentation it should not be attempted).
The text was updated successfully, but these errors were encountered: