Supporting OAuth 2.1 for confidential clients

closes keycloak#25314 Co-authored-by: shigeyuki kabano <[email protected]> Signed-off-by: Takashi Norimatsu <[email protected]>
tnorimat · Dec 18, 2023 · d43e79d · d43e79d
1 parent d841971
commit d43e79d
Show file tree

Hide file tree

Showing 2 changed files with 134 additions and 0 deletions.
diff --git a/services/src/main/resources/keycloak-default-client-profiles.json b/services/src/main/resources/keycloak-default-client-profiles.json
@@ -284,6 +284,58 @@
           }
         }
       ]
+    },
+    {
+      "name": "oauth-2-1-for-confidential-client",
+      "description": "Client profile, which enforce confidential clients to conform 'OAuth 2.1' specification.",
+      "executors": [
+        {
+          "executor": "confidential-client",
+          "configuration": {}
+        },
+        {
+          "executor": "secure-client-authenticator",
+          "configuration": {
+            "allowed-client-authenticators": [
+              "client-jwt",
+              "client-x509"
+            ],
+             "default-client-authenticator": "client-jwt"
+          }
+        },
+        {
+          "executor": "secure-redirect-uris-enforcer",
+          "configuration": {
+            "allow-ipv4-loopback-address": "true",
+            "allow-ipv6-loopback-address": "true",
+            "allow-private-use-uri-scheme": "true"
+          }
+        },
+        {
+          "executor": "pkce-enforcer",
+          "configuration": {
+            "auto-configure": "true"
+          }
+        },
+        {
+          "executor": "holder-of-key-enforcer",
+          "configuration": {
+            "auto-configure": "true"
+          }
+        },
+        {
+          "executor": "reject-implicit-grant",
+          "configuration": {
+            "auto-configure": "true"
+          }
+        },
+        {
+          "executor": "reject-ropc-grant",
+          "configuration": {
+            "auto-configure": "true"
+          }
+        }
+      ]
     }
   ]
 }
diff --git a/...ests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1ConfidentialClientTest.java b/...ests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1ConfidentialClientTest.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright 2023 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.keycloak.testsuite.client;
+
+import org.junit.Test;
+
+public class OAuth2_1ConfidentialClientTest extends AbstractFAPITest {
+
+    @Test
+    public void testOAuth2_1NotAllowImplicitGrant() throws Exception {
+        // TODO
+        // token request by implicit grant
+    }
+
+    @Test
+    public void testOAuth2_1NotAllowResourceOwnerPasswordCredentialsGrant() throws Exception {
+        // TODO
+        // token request by resource owner password credentials grant - fail
+    }
+
+    @Test
+    public void testOAuth2_1ClientAuthentication() throws Exception {
+        // TODO
+        // registration (auto-config, private-key-jwt) without setting - success
+        // update (auto-config, private-key-jwt) with setting (client-x509) - success
+        // token request by client credentials grant - success
+    }
+
+    @Test
+    public void testOAuth2_1ProofKeyForCodeExchange() throws Exception {
+        // TODO
+        // registration (auto-config) - success
+        // update (auto-config) - success
+        // authorization request - fail
+        // authorization request - success, token request - fail
+        // authorization request - success, token request - success
+    }
+
+    @Test
+    public void testOAuth2_1RedirectUris() throws Exception {
+        // TODO
+        // registration with invalid redirect_uri - fail
+        // registration with valid redirect_uri- success
+        // update with invalid redirect_uri - fail
+        // update with valid redirect_uri - success
+        // authorization with invalid redirect_uri request - fail
+        // authorization with valid redirect_uri request - success
+    }
+
+    @Test
+    public void testOAuth2_1OAuthMtlsSenderConstrainedToken() throws Exception {
+        // TODO
+        // registration (auto-config) - success
+        // update (auto-config) by private-key-jwt client authentication - success
+        // authorization request - success
+        // token request without X.509 client certificate - fail
+        // token request with X.509 client certificate - success
+        // token refresh request with other X.509 client certificate - fail
+        // token refresh request with the same X.509 client certificate - success
+        // userinfo request with other X.509 client certificate - fail
+        // userinfo request the same X.509 client certificate - success
+        // token revocation request with other X.509 client certificate - fail
+        // token revocation the same X.509 client certificate - success
+    }
+
+}