Remove saml2 support for standard token exchange v2

Closes #37121

Signed-off-by: Giuseppe Graziano <[email protected]>

Author: graziang

services/src/main/java/org/keycloak/protocol/oidc/tokenexchange/StandardTokenExchangeProvider.java

@@ -267,6 +267,13 @@ protected Response exchangeClientToOIDCClient(UserModel targetUser, UserSessionM
         return cors.add(Response.ok(res, MediaType.APPLICATION_JSON_TYPE));
     }
 
+    @Override
+    protected Response exchangeClientToSAML2Client(UserModel targetUser, UserSessionModel targetUserSession, String requestedTokenType, List<ClientModel> targetAudienceClients) {
+        event.detail(Details.REASON, "requested_token_type unsupported");
+        event.error(Errors.INVALID_REQUEST);
+        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST);
+    }
+
     protected void checkRequestedAudiences(TokenManager.AccessTokenResponseBuilder responseBuilder) {
         if (params.getAudience() != null && (responseBuilder.getAccessToken().getAudience() == null ||
                 responseBuilder.getAccessToken().getAudience().length < params.getAudience().size())) {
@@ -297,7 +304,7 @@ protected String getRequestedTokenType() {
         } else if (!requestedTokenType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE) &&
                 !requestedTokenType.equals(OAuth2Constants.REFRESH_TOKEN_TYPE) &&
                 !requestedTokenType.equals(OAuth2Constants.ID_TOKEN_TYPE) &&
-                !requestedTokenType.equals(OAuth2Constants.SAML2_TOKEN_TYPE)) { // TODO: SAML probably won't be supported?
+                !requestedTokenType.equals(OAuth2Constants.SAML2_TOKEN_TYPE)) {
             event.detail(Details.REASON, "requested_token_type unsupported");
             event.error(Errors.INVALID_REQUEST);
             throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/tokenexchange/StandardTokenExchangeV2Test.java

@@ -175,11 +175,10 @@ public void testRequestedTokenType() throws Exception {
         assertEquals(OAuthErrorException.INVALID_REQUEST, response.getError());
         assertEquals("requested_token_type unsupported", response.getErrorDescription());
 
-        //TODO: saml token type should not be supported
-        // response = tokenExchange(accessToken, "requester-client", "secret", null, Map.of(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.SAML2_TOKEN_TYPE));
-        // assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
-        // assertEquals(OAuthErrorException.INVALID_REQUEST, response.getError());
-        //assertEquals("requested_token_type unsupported", response.getErrorDescription());
+        response = tokenExchange(accessToken, "requester-client", "secret", null, Map.of(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.SAML2_TOKEN_TYPE));
+        assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
+        assertEquals(OAuthErrorException.INVALID_REQUEST, response.getError());
+        assertEquals("requested_token_type unsupported", response.getErrorDescription());
 
         response = tokenExchange(accessToken, "requester-client", "secret", null, Map.of(OAuth2Constants.REQUESTED_TOKEN_TYPE, "WRONG_TOKEN_TYPE"));
         assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());