Registration Access Token's issuer claim prevents smooth migration of the realm's issuer
#28045
Labels
area/oidc
Indicates an issue on OIDC area
kind/enhancement
Categorizes a PR related to an enhancement
status/triage
team/core-clients
Comments
reda-alaoui
added
kind/enhancement
reda-alaoui
changed the title
Registration Access Token's issuer claim prevents smooth migration of the Keycloak issuerRegistration Access Token's issuer claim prevents smooth migration of the realm's issuer
|
It can be nice if this is handled by default client policies ( #27188 ) once they are supported. See this comment for the details: #28054 (review) . |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Authenticating to Keycloak via internet domain A using
Registration Access Tokengenerated on internet domain B will fail.Discussion
No response
Motivation
We have a Keycloak instance deployed on internet domain A that we want to move to domain B.
Many Keycloak's clients have persisted registration access tokens associated to domain A. Those tokens are rejected when trying to use them on domain B because of their issuer values.
Details
https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java#L97-L97
The registration access token authentication, in addition to the usual JWT validations, compares the
registrationTokenstored in theCliententity with the JWTjticlaim (https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java#L189-L189).Therefore, isn't it overkill to also verify the
issuerclaim for this kind of token?The text was updated successfully, but these errors were encountered: