Remove public client support for standard token exchange v2

Closes #37111

Signed-off-by: Giuseppe Graziano <[email protected]>

Author: graziang

services/src/main/java/org/keycloak/protocol/oidc/tokenexchange/AbstractTokenExchangeProvider.java

@@ -267,7 +267,7 @@ protected void validateAudience(AccessToken token, boolean disallowOnHolderOfTok
                     forbiddenIfClientIsNotTokenHolder(disallowOnHolderOfTokenMismatch, tokenHolder);
                 } else if (!client.equals(tokenHolder)) {
                     // confidential clients can only exchange to themselves if they are within the token audience
-                    forbiddenIfClientIsNotWithinTokenAudience(token, tokenHolder);
+                    forbiddenIfClientIsNotWithinTokenAudience(token);
                 }
             } else {
                 if (client.isPublicClient()) {
@@ -308,7 +308,7 @@ protected Response exchangeClientToClient(UserModel targetUser, UserSessionModel
         throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST);
     }
 
-    protected void forbiddenIfClientIsNotWithinTokenAudience(AccessToken token, ClientModel tokenHolder) {
+    protected void forbiddenIfClientIsNotWithinTokenAudience(AccessToken token) {
         if (token != null && !token.hasAudience(client.getClientId())) {
             event.detail(Details.REASON, "client is not within the token audience");
             event.error(Errors.NOT_ALLOWED);

services/src/main/java/org/keycloak/protocol/oidc/tokenexchange/StandardTokenExchangeProvider.java

@@ -128,26 +128,17 @@ protected Response tokenExchange() {
 
     protected void validateAudience(AccessToken token, boolean disallowOnHolderOfTokenMismatch, List<ClientModel> targetAudienceClients) {
         ClientModel tokenHolder = token == null ? null : realm.getClientByClientId(token.getIssuedFor());
+
+        if (client.isPublicClient()) {
+            String errorMessage = "Public client is not allowed to exchange token";
+            event.detail(Details.REASON, errorMessage);
+            event.error(Errors.INVALID_CLIENT);
+            throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_CLIENT, errorMessage, Response.Status.BAD_REQUEST);
+        }
+
         //reject if the requester-client is not in the audience of the subject token
         if (!client.equals(tokenHolder)) {
-            forbiddenIfClientIsNotWithinTokenAudience(token, null);
-        }
-        for (ClientModel targetClient : targetAudienceClients) {
-            boolean isClientTheAudience = targetClient.equals(client);
-            if (isClientTheAudience) {
-                if (client.isPublicClient()) {
-                    // public clients can only exchange on to themselves if they are the token holder
-                    forbiddenIfClientIsNotTokenHolder(disallowOnHolderOfTokenMismatch, tokenHolder);
-                } else if (!client.equals(tokenHolder)) {
-                    // confidential clients can only exchange to themselves if they are within the token audience
-                    forbiddenIfClientIsNotWithinTokenAudience(token, tokenHolder);
-                }
-            } else {
-                if (client.isPublicClient()) {
-                    // public clients can not exchange tokens from other client
-                    forbiddenIfClientIsNotTokenHolder(disallowOnHolderOfTokenMismatch, tokenHolder);
-                }
-            }
+            forbiddenIfClientIsNotWithinTokenAudience(token);
         }
     }
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/tokenexchange/StandardTokenExchangeV2Test.java

@@ -207,6 +207,15 @@ public void testClientExchangeToItselfWithConsents() throws Exception {
         client.update(clientRepresentation);
     }
 
+    @Test
+    public void testExchangeWithPublicClient() throws Exception {
+        String accessToken = resourceOwnerLogin("john", "password","subject-client", "secret");
+        AccessTokenResponse response = tokenExchange(accessToken, "requester-client-public", null,  null, null);
+        org.junit.Assert.assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
+        org.junit.Assert.assertEquals(OAuthErrorException.INVALID_CLIENT, response.getError());
+        org.junit.Assert.assertEquals("Public client is not allowed to exchange token", response.getErrorDescription());
+    }
+
     @Test
     public void testOptionalScopeParamRequestedWithoutAudience() throws Exception {
         String accessToken = resourceOwnerLogin("john", "password","subject-client", "secret");

testsuite/integration-arquillian/tests/base/src/test/resources/token-exchange/testrealm-token-exchange-v2.json

@@ -261,11 +261,8 @@
         "containerId" : "a11ebbaf-c0fd-46df-9fe7-64e94ac8d945",
         "attributes" : { }
       } ],
-      "invalid-requester-client" : [ ],
       "requester-client" : [ ],
       "security-admin-console" : [ ],
-      "subject-client" : [ ],
-      "admin-cli" : [ ],
       "target-client1" : [ {
         "id" : "b7eb747d-7aac-4e36-8ade-5b9875c9ed07",
         "name" : "target-client1-role",
@@ -294,7 +291,11 @@
         "containerId" : "52fbbee7-44ca-4a36-814f-95f18f632994",
         "attributes" : { }
       } ],
+      "requester-client-public" : [ ],
       "target-client3" : [ ],
+      "invalid-requester-client" : [ ],
+      "subject-client" : [ ],
+      "admin-cli" : [ ],
       "account" : [ {
         "id" : "4d92df58-f573-4dcc-9428-83c67595b0d3",
         "name" : "manage-consent",
@@ -1252,6 +1253,44 @@
     "nodeReRegistrationTimeout" : -1,
     "defaultClientScopes" : [ "service_account", "acr", "default-scope1", "roles", "basic" ],
     "optionalClientScopes" : [ "optional-scope2" ]
+  }, {
+    "id" : "2daeae03-ff78-4f79-8e72-1c4d443e1655",
+    "clientId" : "requester-client-public",
+    "name" : "",
+    "description" : "",
+    "rootUrl" : "",
+    "adminUrl" : "",
+    "baseUrl" : "",
+    "surrogateAuthRequired" : false,
+    "enabled" : true,
+    "alwaysDisplayInConsole" : false,
+    "clientAuthenticatorType" : "client-secret",
+    "redirectUris" : [ "/*" ],
+    "webOrigins" : [ "/*" ],
+    "notBefore" : 0,
+    "bearerOnly" : false,
+    "consentRequired" : false,
+    "standardFlowEnabled" : true,
+    "implicitFlowEnabled" : false,
+    "directAccessGrantsEnabled" : true,
+    "serviceAccountsEnabled" : false,
+    "publicClient" : true,
+    "frontchannelLogout" : true,
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "realm_client" : "false",
+      "oidc.ciba.grant.enabled" : "false",
+      "backchannel.logout.session.required" : "true",
+      "frontchannel.logout.session.required" : "true",
+      "oauth2.device.authorization.grant.enabled" : "false",
+      "display.on.consent.screen" : "false",
+      "backchannel.logout.revoke.offline.tokens" : "false"
+    },
+    "authenticationFlowBindingOverrides" : { },
+    "fullScopeAllowed" : true,
+    "nodeReRegistrationTimeout" : -1,
+    "defaultClientScopes" : [ "acr", "roles", "basic" ],
+    "optionalClientScopes" : [ ]
   }, {
     "id" : "9d94d530-3335-4bb9-bea8-e9476a812473",
     "clientId" : "security-admin-console",
@@ -2151,6 +2190,7 @@
     "xRobotsTag" : "none",
     "xFrameOptions" : "SAMEORIGIN",
     "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
+    "xXSSProtection" : "1; mode=block",
     "strictTransportSecurity" : "max-age=31536000; includeSubDomains"
   },
   "smtpServer" : { },