keycloak-uncached
Changes
services/src/main/java/org/keycloak/protocol/oidc/mappers/AudienceResolveProtocolMapper.java 7(+7 -0)
Details
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/mappers/AudienceResolveProtocolMapper.java b/services/src/main/java/org/keycloak/protocol/oidc/mappers/AudienceResolveProtocolMapper.java
index a50861c..b1e1b86 100644
--- a/services/src/main/java/org/keycloak/protocol/oidc/mappers/AudienceResolveProtocolMapper.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/mappers/AudienceResolveProtocolMapper.java
@@ -79,7 +79,14 @@ public class AudienceResolveProtocolMapper extends AbstractOIDCProtocolMapper im
@Override
public AccessToken transformAccessToken(AccessToken token, ProtocolMapperModel mappingModel, KeycloakSession session,
UserSessionModel userSession, ClientSessionContext clientSessionCtx) {
+ String clientId = clientSessionCtx.getClientSession().getClient().getClientId();
+
for (Map.Entry<String, AccessToken.Access> entry : RoleResolveUtil.getAllResolvedClientRoles(session, clientSessionCtx).entrySet()) {
+ // Don't add client itself to the audience
+ if (entry.getKey().equals(clientId)) {
+ continue;
+ }
+
AccessToken.Access access = entry.getValue();
if (access != null && access.getRoles() != null && !access.getRoles().isEmpty()) {
token.addAudience(entry.getKey());
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OIDCProtocolMappersTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OIDCProtocolMappersTest.java
index 27b2d47..d4a1fc6 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OIDCProtocolMappersTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OIDCProtocolMappersTest.java
@@ -421,8 +421,8 @@ public class OIDCProtocolMappersTest extends AbstractKeycloakTest {
List<String> roles = (List<String>) cst1.get("roles");
Assert.assertNames(roles, "offline_access", "user", "customer-user", "hardcoded", AccountRoles.VIEW_PROFILE, AccountRoles.MANAGE_ACCOUNT, AccountRoles.MANAGE_ACCOUNT_LINKS);
- // Assert audience - "test-app" is added due the AudienceResolveProtocolMapper
- Assert.assertNames(Arrays.asList(accessToken.getAudience()), "account", "test-app");
+ // Assert audience
+ Assert.assertNames(Arrays.asList(accessToken.getAudience()), "account");
} finally {
// Revert
rolesScope.getProtocolMappers().delete(hardcodedMapperId);
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
index ee3b3b4..d939816 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
@@ -19,6 +19,7 @@ package org.keycloak.testsuite.oauth;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ArrayNode;
+import com.fasterxml.jackson.databind.node.TextNode;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.OAuth2Constants;
@@ -121,7 +122,10 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest {
assertEquals(jsonNode.get("sub").asText(), rep.getSubject());
List<String> audiences = new ArrayList<>();
- jsonNode.get("aud").forEach(childNode -> audiences.add(childNode.asText()));
+
+ // We have single audience in the token - hence it is simple string
+ assertTrue(jsonNode.get("aud") instanceof TextNode);
+ audiences.add(jsonNode.get("aud").asText());
Assert.assertNames(audiences, rep.getAudience());
assertEquals(jsonNode.get("iss").asText(), rep.getIssuer());