I am adding some OIDC specs JIRAs with possibility how to fix them. I am
including those, which will be easy to fix and I can look into them
later today or tomorrow before PTO :
https://issues.jboss.org/browse/KEYCLOAK-3189 - Add 'typ' to JWT header
<https://issues.jboss.org/browse/KEYCLOAK-3190> - Add 'kid' to JWT header
https://issues.jboss.org/browse/KEYCLOAK-3217 - UserInfo endpoint not
accessible by POST request secured with Bearer header
https://issues.jboss.org/browse/KEYCLOAK-3147 - OpenID Connect auth
request redirect_uri behaviour not according to spec
<https://issues.jboss.org/browse/KEYCLOAK-3222> - WellKnown endpoint
doesn't return supported types of client authentication
https://issues.jboss.org/browse/KEYCLOAK-3219 - WellKnown endpoint
doesn't support claims_supported
All of those are quite straightforward and easy to fix IMO.
Besides that, there are those 2, which I first rather want to confirm
what exactly to do:
- https://issues.jboss.org/browse/KEYCLOAK-3221 Tokens not invalidated
if an attempt to reuse code is made
We have just single-use code (which is good), however OAuth2 specs
recommends to invalidate existing tokens if an attempt to reuse code is
done. And one OIDC test is in WARNING state because of it (it tries to
access UserInfo endpoint with the accessToken issued with the reused code).
I can see 2 possibilities to fix:
a) Invalidate just single clientSession where "code" attempt reuse was made
b) Logout whole userSession
It looks to me that (a) is sufficient solution. The potential issue with
(b) is, that if attacker can steal code, it gives him the possibility to
trigger global logout of user from all apps. WDYT?
- https://issues.jboss.org/browse/KEYCLOAK-3218 Support for "max_age" in
AuthorizationEndpoint and "auth_time" claim on IDToken
The possibility to implement is :
- Add new note AUTH_TIME to UserSessionModel. It will be time when
authentication of user was fully finished (including requiredActions).
Session note is used just so we don't need to change the model ;)
- If "max_age" parameter was requested, the "auth_time" will be added to
IDToken (or I will re-check specs if we should rather always add it to
- I am also thinking about adding hook to CookieAuthenticator, so that
if max_age parameter was used and userSession authTime is too "old", the
CookieAuthenticator will be ignored and user will need to
re-authenticate with other authenticators (username/password form etc).
Then authTime will be updated on userSession once authentication is
That will leave us with bigger things for OIDC Basic certification (
scope parameter support, possibly 'claims' param support and 'acr' support).
I am thinking whether to add configuration switch in admin console per
client, where you can define what is the adapter version the particular
client is using. In that case, some behaviour can be different/backwards
Example: For new clients, we will include IDToken just if they use
"scope=openid" . However for clients with adapter "1.9" or older, the
IDToken will be included even if "scope=openid" is not used.
I've started work on Client Registration CLI tool. As a first step, here is
a design document describing how I imagine the tool would be used.
I'll use this document as a spec / guide as I implement the client tool.
Within days I'll also send a link to initial ideas for Admin Client tool
which in principle should allow administrator to configure everything that
can otherwise be done through Admin Console.
Any feedback welcome.