Registration Access Token
's issuer claim prevents smooth migration of the realm's issuer
#28045
Labels
area/oidc
Indicates an issue on OIDC area
kind/enhancement
Categorizes a PR related to an enhancement
status/triage
team/core-clients
Description
Authenticating to Keycloak via internet domain A using
Registration Access Token
generated on internet domain B will fail.Discussion
No response
Motivation
We have a Keycloak instance deployed on internet domain A that we want to move to domain B.
Many Keycloak's clients have persisted registration access tokens associated to domain A. Those tokens are rejected when trying to use them on domain B because of their issuer values.
Details
https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java#L97-L97
The registration access token authentication, in addition to the usual JWT validations, compares the
registrationToken
stored in theClient
entity with the JWTjti
claim (https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java#L189-L189).Therefore, isn't it overkill to also verify the
issuer
claim for this kind of token?The text was updated successfully, but these errors were encountered: