Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use client tls certificate bound access token with the new admin UI #17790

Closed
syalioune opened this issue Mar 5, 2023 · 0 comments · Fixed by keycloak/keycloak-ui#4546
Closed

Unable to use client tls certificate bound access token with the new admin UI #17790

syalioune opened this issue Mar 5, 2023 · 0 comments · Fixed by keycloak/keycloak-ui#4546
Assignees
@edewit
Labels
impact/high kind/bug Categorizes a PR related to a bug team/ui
Milestone
21.0.2

Comments

@syalioune
Copy link
Contributor

Describe the bug

When using the new admin UI, OAuth 2.0 Mutual TLS Certificate Bound Access Tokens does not work anymore.
After toggling the feature ON in the UI, the access tokens generated by Keycloak are not bound the provided client certificate (i.e. No cnf claim)

Looking further into this, the culprit is admin-ui/src/clients/advanced/AdvancedSettings.tsx which set the related client attribute tls-client-certificate-bound-access-tokens instead of tls.client.certificate.bound.access.tokens.

The latest seems to be the correct value as evidenced by admin-ui/src/clients/AdvancedTab.tsx and OIDCConfigAttributes.java

Version

21.0.1

Environment

Browser chrome - version 110.0.5481.178

Expected behavior

The UI can correctly enable client tls certificate bound access token and have access token generated with cnf claim like below

"cnf": {
	"x5t#S256": "qyW-2Q8rGkPwaqIfDl0aj5ekkyDUDSJ8vn3t_9KlIP0"
}

Actual behavior

The UI toogle for client tls certificate bound access token set the wrong client attributes which result in no activation of the feature at all.

How to Reproduce?

See the README of hold-of-key-token-issue-reproduction.zip project.

It provide a Docker Compose stack to reproduce the issue and manual correction with a one-line command.

Anything else?

No response
@syalioune syalioune added kind/bug Categorizes a PR related to a bug status/triage labels Mar 5, 2023
syalioune referenced this issue in syalioune/keycloak-ui Mar 5, 2023
@syalioune
Fix client certificate bound access token toggle
617d350 
Wrong client attribute was used by the admin UI

Closes #4545
@syalioune syalioune mentioned this issue Mar 5, 2023
Merged
1 task
syalioune referenced this issue in syalioune/keycloak-ui Mar 5, 2023
@syalioune
Fix client certificate bound access token toggle
d059540 
Wrong client attribute was used by the admin UI

Closes #4545
@edewit edewit self-assigned this Mar 6, 2023
@ssilvert ssilvert transferred this issue from keycloak/keycloak-ui Mar 15, 2023
@jonkoops jonkoops added this to the 21.0.2 milestone Mar 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@edewit edewit

Labels
impact/high kind/bug Categorizes a PR related to a bug team/ui
Projects
None yet
Milestone
21.0.2
Development

Successfully merging a pull request may close this issue.

Fix client certificate bound access token toggle syalioune/keycloak-ui
4 participants
@edewit @ssilvert @jonkoops @syalioune