[keycloak-dev] Gatekeeper: Incorrect validation of access token in lieu of ID token
Patrik Sletmo
patrik.sletmo at gmail.com
Fri Oct 11 07:56:10 EDT 2019
Hi!
I'd like to raise the issue that the token validation present in Keycloak
Gatekeeper is incorrectly implemented. Currently, the access token is
validated *as if it were an ID token*, if it is defined in the reply to
/oauth/callback. This behavior is the result of substituting the ID token
with the access token, if present [1], and then validating it [2].
The OpenID Connect specification require that several fields (such as iss,
sub and aud) are present in the ID token [3]. Therefore, the presence of
these fields should be validated for the ID token [4], and NOT for the
access token [5].
Since the wrong access token is validated in Gatekeeper, OpenID Connect
providers that do not supply the mandatory ID token fields in the access
token are rejected, making them incompatible with Gatekeeper.
What are your opinion on this matter? I would like this issue resolved so
that more OpenID Connect providers can be used together with Gatekeeper in
the future.
[1]
https://github.com/keycloak/keycloak-gatekeeper/blob/master/handlers.go#L156
[2]
https://github.com/keycloak/keycloak-gatekeeper/blob/master/handlers.go#L163
[3] https://openid.net/specs/openid-connect-core-1_0.html#IDToken
[4] https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
[5]
https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowTokenValidation
Regards,
Patrik Sletmo
More information about the keycloak-dev
mailing list