Map token_exchange_enabled to Keycloak standard.token.exchange.enable…#594
Open
madnialihussain wants to merge 1 commit into
Open
Map token_exchange_enabled to Keycloak standard.token.exchange.enable…#594madnialihussain wants to merge 1 commit into
madnialihussain wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Maps the token_exchange_enabled OIDC flow from Porta to the Keycloak client attribute standard.token.exchange.enabled, enabling RHBK Standard Token Exchange (V2) on synced clients.
Unlike the other OIDC flows (standardFlowEnabled, implicitFlowEnabled, etc.) which are top-level Keycloak client fields, token exchange is controlled via the client attributes hash with key standard.token.exchange.enabled. This PR handles that difference in KeycloakAdapter::OAuthConfiguration.
Also adds the urn:ietf:params:oauth:grant-type:token-exchange grant type mapping in RESTAdapter::GrantTypes for non-Keycloak OIDC providers that follow RFC 8693.
Ticket requirements (THREESCALE-12102):
Add native support in APIcast for validating OBO tokens: (Verified). APIcast validates OBO tokens out of the box since they are standard JWTs. Tested by obtaining an OBO token via Keycloak token exchange and
sending it through APIcast, returned HTTP 200.
Ensure compatibility with RHBK Standard Token Exchange (V2): Companion Porta PR adds the UI/API toggle. This Zync PR maps it to Keycloak's standard.token.exchange.enabled attribute. Verified end-to-end: toggle
ON in Porta → Keycloak client shows standard.token.exchange.enabled: "true", toggle OFF → shows "false", toggle ON again → shows "true".
Provide configuration options to enforce policies based on both client and user claims: (Verified). The OBO token contains both client claims (azp, client_id) and user claims (sub, preferred_username, email,
roles). APIcast extracts the client identity via jwt_claim_with_client_id (mapped to azp) for rate limiting, and existing policies like keycloak_role_check can enforce rules on user roles. Tested with an unknown
client azp → APIcast returned HTTP 403.
Which issue(s) this PR fixes
https://redhat.atlassian.net/browse/THREESCALE-12102
Verification steps
Note: End-to-end testing (Porta → Zync → Keycloak → APIcast) was done by temporarily cherry-picking commits from PR #4310 (OIDC sync token rotation). Will re-test after #4310 is merged.