keycloak-aplcache
Changes
services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponseBuilder.java 7(+7 -0)
Details
diff --git a/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponseBuilder.java b/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponseBuilder.java
index 81d556e..17002ab 100644
--- a/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponseBuilder.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponseBuilder.java
@@ -23,6 +23,7 @@ import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.authorization.util.Permissions;
+import org.keycloak.models.ClientModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.DecisionEffect;
import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse;
@@ -55,6 +56,12 @@ public class PolicyEvaluationResponseBuilder {
authorizationData.setPermissions(Permissions.permits(results, null, authorization, resourceServer));
accessToken.setAuthorization(authorizationData);
+ ClientModel clientModel = authorization.getRealm().getClientById(resourceServer.getId());
+
+ if (!accessToken.hasAudience(clientModel.getClientId())) {
+ accessToken.audience(clientModel.getClientId());
+ }
+
response.setRpt(accessToken);
if (results.stream().anyMatch(evaluationResult -> evaluationResult.getEffect().equals(Decision.Effect.DENY))) {
diff --git a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java
index d407613..3f9fb06 100644
--- a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java
+++ b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java
@@ -25,7 +25,6 @@ import org.keycloak.authorization.authorization.representation.AuthorizationRequ
import org.keycloak.authorization.authorization.representation.AuthorizationResponse;
import org.keycloak.authorization.common.KeycloakEvaluationContext;
import org.keycloak.authorization.common.KeycloakIdentity;
-import org.keycloak.authorization.entitlement.representation.EntitlementResponse;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
@@ -39,6 +38,7 @@ import org.keycloak.authorization.util.Permissions;
import org.keycloak.authorization.util.Tokens;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
+import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.TokenManager;
@@ -119,7 +119,7 @@ public class AuthorizationTokenService {
List<Permission> entitlements = Permissions.permits(result, authorizationRequest.getMetadata(), authorization, resourceServer);
if (!entitlements.isEmpty()) {
- AuthorizationResponse response = new AuthorizationResponse(createRequestingPartyToken(entitlements, identity.getAccessToken()));
+ AuthorizationResponse response = new AuthorizationResponse(createRequestingPartyToken(entitlements, identity.getAccessToken(), resourceServer));
return Cors.add(httpRequest, Response.status(Status.CREATED).entity(response)).allowedOrigins(identity.getAccessToken())
.allowedMethods("POST")
.exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
@@ -254,12 +254,18 @@ public class AuthorizationTokenService {
return this.authorization.getKeycloakSession().getContext().getRealm();
}
- private String createRequestingPartyToken(List<Permission> permissions, AccessToken accessToken) {
+ private String createRequestingPartyToken(List<Permission> permissions, AccessToken accessToken, ResourceServer resourceServer) {
AccessToken.Authorization authorization = new AccessToken.Authorization();
authorization.setPermissions(permissions);
accessToken.setAuthorization(authorization);
+ ClientModel clientModel = this.authorization.getRealm().getClientById(resourceServer.getId());
+
+ if (!accessToken.hasAudience(clientModel.getClientId())) {
+ accessToken.audience(clientModel.getClientId());
+ }
+
return new TokenManager().encodeToken(session, getRealm(), accessToken);
}
diff --git a/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java b/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
index 0108eab..b7a327f 100644
--- a/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
+++ b/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
@@ -167,7 +167,7 @@ public class EntitlementService {
List<Permission> entitlements = Permissions.permits(result, metadata, authorization, resourceServer);
if (!entitlements.isEmpty()) {
- return Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements, identity.getAccessToken())))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
+ return Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements, identity.getAccessToken(), resourceServer)))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
}
} catch (Exception cause) {
logger.error(cause);
@@ -184,13 +184,19 @@ public class EntitlementService {
.exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
}
- private String createRequestingPartyToken(List<Permission> permissions, AccessToken accessToken) {
+ private String createRequestingPartyToken(List<Permission> permissions, AccessToken accessToken, ResourceServer resourceServer) {
RealmModel realm = this.authorization.getKeycloakSession().getContext().getRealm();
AccessToken.Authorization authorization = new AccessToken.Authorization();
authorization.setPermissions(permissions);
accessToken.setAuthorization(authorization);
+ ClientModel clientModel = realm.getClientById(resourceServer.getId());
+
+ if (!accessToken.hasAudience(clientModel.getClientId())) {
+ accessToken.audience(clientModel.getClientId());
+ }
+
return new TokenManager().encodeToken(this.authorization.getKeycloakSession(), realm, accessToken);
}