Make token exchange grant type supported by OIDC client registration

Closes #37554

Signed-off-by: rmartinc <[email protected]>

Author: rmartinc

services/src/main/java/org/keycloak/services/clientregistration/oidc/DescriptionConverter.java

@@ -33,6 +33,7 @@
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
 import org.keycloak.protocol.oidc.OIDCClientSecretConfigWrapper;
+import org.keycloak.protocol.oidc.OIDCConfigAttributes;
 import org.keycloak.protocol.oidc.OIDCLoginProtocol;
 import org.keycloak.protocol.oidc.mappers.PairwiseSubMapperHelper;
 import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
@@ -120,6 +121,7 @@ public static ClientRepresentation toInternal(KeycloakSession session, OIDCClien
                 client.setServiceAccountsEnabled(oidcGrantTypes.contains(OAuth2Constants.CLIENT_CREDENTIALS));
                 setOidcGrantEnabled(client, CibaConfig.OIDC_CIBA_GRANT_ENABLED, oidcGrantTypes.contains(OAuth2Constants.CIBA_GRANT_TYPE));
                 setOidcGrantEnabled(client, OAuth2DeviceConfig.OAUTH2_DEVICE_AUTHORIZATION_GRANT_ENABLED, oidcGrantTypes.contains(OAuth2Constants.DEVICE_CODE_GRANT_TYPE));
+                setOidcGrantEnabled(client, OIDCConfigAttributes.STANDARD_TOKEN_EXCHANGE_ENABLED, oidcGrantTypes.contains(OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE));
                 client.setAuthorizationServicesEnabled(oidcGrantTypes.contains(OAuth2Constants.UMA_GRANT_TYPE));
                 configWrapper.setUseRefreshToken(oidcGrantTypes.contains(OAuth2Constants.REFRESH_TOKEN));
             }
@@ -132,6 +134,9 @@ public static ClientRepresentation toInternal(KeycloakSession session, OIDCClien
         if ("none".equals(authMethod)) {
             client.setClientAuthenticatorType("none");
             client.setPublicClient(Boolean.TRUE);
+            if (oidcGrantTypes != null && oidcGrantTypes.contains(OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE)) {
+                throw new ClientRegistrationException("Token Exchange cannot be enabled in a public client");
+            }
         } else {
             ClientAuthenticatorFactory clientAuthFactory;
             if (authMethod == null) {
@@ -532,9 +537,13 @@ private static List<String> getOIDCGrantTypes(ClientRepresentation client) {
         if (client.getAuthorizationServicesEnabled() != null && client.getAuthorizationServicesEnabled()) {
             grantTypes.add(OAuth2Constants.UMA_GRANT_TYPE);
         }
-        if (OIDCAdvancedConfigWrapper.fromClientRepresentation(client).isUseRefreshToken()) {
+        OIDCAdvancedConfigWrapper oidcClient = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
+        if (oidcClient.isUseRefreshToken()) {
             grantTypes.add(OAuth2Constants.REFRESH_TOKEN);
         }
+        if (!client.isPublicClient() && oidcClient.isStandardTokenExchangeEnabled()) {
+            grantTypes.add(OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE);
+        }
         return grantTypes;
     }
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationResponseTypesAndGrantsTest.java

@@ -19,19 +19,25 @@
 
 package org.keycloak.testsuite.client;
 
+import jakarta.ws.rs.core.Response;
 import java.util.Collections;
 import java.util.List;
 
 import org.hamcrest.MatcherAssert;
+import org.hamcrest.Matchers;
 import org.junit.Before;
 import org.junit.Test;
+import org.keycloak.OAuthErrorException;
 import org.keycloak.client.registration.Auth;
 import org.keycloak.client.registration.ClientRegistrationException;
+import org.keycloak.client.registration.HttpErrorException;
 import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
 import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation;
 import org.keycloak.representations.idm.ClientInitialAccessPresentation;
 import org.keycloak.representations.idm.ClientRepresentation;
+import org.keycloak.representations.idm.OAuth2ErrorRepresentation;
 import org.keycloak.representations.oidc.OIDCClientRepresentation;
+import org.keycloak.util.JsonSerialization;
 import org.keycloak.testsuite.Assert;
 
 import static org.hamcrest.Matchers.containsInAnyOrder;
@@ -41,6 +47,7 @@
 import static org.keycloak.OAuth2Constants.IMPLICIT;
 import static org.keycloak.OAuth2Constants.PASSWORD;
 import static org.keycloak.OAuth2Constants.REFRESH_TOKEN;
+import static org.keycloak.OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE;
 import static org.keycloak.models.OAuth2DeviceConfig.OAUTH2_DEVICE_AUTHORIZATION_GRANT_ENABLED;
 import static org.keycloak.protocol.oidc.utils.OIDCResponseType.CODE;
 import static org.keycloak.protocol.oidc.utils.OIDCResponseType.ID_TOKEN;
@@ -81,7 +88,7 @@ public void testClientWithoutResponseTypesAndGrantTypes() throws Exception {
 
         assertOIDCResponse(response, List.of(CODE, NONE), List.of(AUTHORIZATION_CODE, REFRESH_TOKEN));
 
-        assertKeycloakClient(response, true, false, false, false, true, false);
+        assertKeycloakClient(response, true, false, false, false, true, false, false);
     }
 
     @Test
@@ -92,7 +99,7 @@ public void testResponseTypeCodeWithoutGrantTypes() throws Exception {
 
         assertOIDCResponse(response, List.of(CODE, NONE), List.of(AUTHORIZATION_CODE, REFRESH_TOKEN));
 
-        assertKeycloakClient(response, true, false, false, false, true, false);
+        assertKeycloakClient(response, true, false, false, false, true, false, false);
     }
 
     // Limitation of Keycloak switches (Standard flow, Implicit flow) means that enabling any hybrid grant type enables also implicit flow.
@@ -106,7 +113,7 @@ public void testResponseTypeCodeIDTokenWithoutGrantTypes() throws Exception {
         assertOIDCResponse(response, List.of(CODE, NONE, ID_TOKEN, "id_token token", "code id_token", "code token", "code id_token token"),
                 List.of(AUTHORIZATION_CODE, IMPLICIT, REFRESH_TOKEN));
 
-        assertKeycloakClient(response, true, true, false, false, true, false);
+        assertKeycloakClient(response, true, true, false, false, true, false, false);
     }
 
     @Test
@@ -118,7 +125,7 @@ public void testWithoutResponseTypeClientCredentialsGrant() throws Exception {
         assertOIDCResponse(response, Collections.emptyList(),
                 List.of(CLIENT_CREDENTIALS));
 
-        assertKeycloakClient(response, false, false, false, true, false, false);
+        assertKeycloakClient(response, false, false, false, true, false, false, false);
     }
 
     @Test
@@ -130,7 +137,7 @@ public void testWithoutResponseTypePasswordGrant() throws Exception {
         assertOIDCResponse(response, Collections.emptyList(),
                 List.of(PASSWORD));
 
-        assertKeycloakClient(response, false, false, true, false, false, false);
+        assertKeycloakClient(response, false, false, true, false, false, false, false);
     }
 
     @Test
@@ -142,7 +149,7 @@ public void testWithoutResponseTypePasswordClientCredentialsRefreshTokensGrants(
         assertOIDCResponse(response, Collections.emptyList(),
                 List.of(PASSWORD, CLIENT_CREDENTIALS, REFRESH_TOKEN));
 
-        assertKeycloakClient(response, false, false, true, true, true, false);
+        assertKeycloakClient(response, false, false, true, true, true, false, false);
     }
 
     @Test
@@ -153,7 +160,7 @@ public void testClientWithoutRefreshToken() throws Exception {
 
         assertOIDCResponse(response, List.of(CODE, NONE), List.of(AUTHORIZATION_CODE));
 
-        assertKeycloakClient(response, true, false, false, false, false, false);
+        assertKeycloakClient(response, true, false, false, false, false, false, false);
     }
 
     @Test
@@ -164,7 +171,7 @@ public void testClientWithRefreshToken() throws Exception {
 
         assertOIDCResponse(response, List.of(CODE, NONE), List.of(AUTHORIZATION_CODE, REFRESH_TOKEN));
 
-        assertKeycloakClient(response, true, false, false, false, true, false);
+        assertKeycloakClient(response, true, false, false, false, true, false, false);
     }
 
     @Test
@@ -175,7 +182,27 @@ public void testNoResponseTypesWithDeviceGrant() throws Exception {
 
         assertOIDCResponse(response, Collections.emptyList(), List.of(DEVICE_CODE_GRANT_TYPE));
 
-        assertKeycloakClient(response, false, false, false, false, false, true);
+        assertKeycloakClient(response, false, false, false, false, false, true, false);
+    }
+
+    @Test
+    public void testGrantTypeTokenExchange() throws Exception {
+        OIDCClientRepresentation clientRep = createRep(null, List.of(AUTHORIZATION_CODE, REFRESH_TOKEN, TOKEN_EXCHANGE_GRANT_TYPE));
+        clientRep.setTokenEndpointAuthMethod("none");
+
+        ClientRegistrationException clientRegistrationException = Assert.assertThrows(ClientRegistrationException.class, () -> reg.oidc().create(clientRep));
+        MatcherAssert.assertThat(clientRegistrationException.getCause(), Matchers.instanceOf(HttpErrorException.class));
+        HttpErrorException httpErrorException = (HttpErrorException) clientRegistrationException.getCause();
+        Assert.assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), httpErrorException.getStatusLine().getStatusCode());
+        OAuth2ErrorRepresentation error = JsonSerialization.readValue(httpErrorException.getErrorResponse(), OAuth2ErrorRepresentation.class);
+        Assert.assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, error.getError());
+
+        clientRep.setTokenEndpointAuthMethod(null);
+        OIDCClientRepresentation response = reg.oidc().create(clientRep);
+
+        assertOIDCResponse(response, List.of(CODE, NONE), List.of(AUTHORIZATION_CODE, REFRESH_TOKEN, TOKEN_EXCHANGE_GRANT_TYPE));
+
+        assertKeycloakClient(response, true, false, false, false, true, false, true);
     }
 
     @Test
@@ -186,7 +213,7 @@ public void testCodeResponseTypeWithMoreGrants() throws Exception {
 
         assertOIDCResponse(response, List.of(CODE, NONE), List.of(AUTHORIZATION_CODE, REFRESH_TOKEN, PASSWORD, CLIENT_CREDENTIALS));
 
-        assertKeycloakClient(response, true, false, true, true, true, false);
+        assertKeycloakClient(response, true, false, true, true, true, false, false);
     }
 
     // Grant type "authorization_code" added automatically because of response_type "code" .
@@ -201,7 +228,7 @@ public void testCodeResponseTypeWithIncompatibleGrants() throws Exception {
 
         assertOIDCResponse(response, List.of(CODE, NONE), List.of(AUTHORIZATION_CODE, REFRESH_TOKEN, PASSWORD, CLIENT_CREDENTIALS));
 
-        assertKeycloakClient(response, true, false, true, true, true, false);
+        assertKeycloakClient(response, true, false, true, true, true, false, false);
     }
 
     private void assertOIDCResponse(OIDCClientRepresentation response, List<String> expectedResponseTypes, List<String> expectedGrantTypes) {
@@ -228,7 +255,8 @@ private void assertKeycloakClient(OIDCClientRepresentation response,
                                              boolean expectedDirectGrantFlow,
                                              boolean expectedServiceAccountsFlow,
                                              boolean expectedRefreshToken,
-                                             boolean expectedDeviceGrant) {
+                                             boolean expectedDeviceGrant,
+                                             boolean expectedTokenExchange) {
         ClientRepresentation kcClient = getClient(response.getClientId());
         OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(kcClient);
         Assert.assertEquals("Expected standard flow: " + expectedStandardFlow + " did not match.", expectedStandardFlow, kcClient.isStandardFlowEnabled());
@@ -239,5 +267,6 @@ private void assertKeycloakClient(OIDCClientRepresentation response,
         Assert.assertFalse("Don't expect refresh token for client credentials grant enabled", config.isUseRefreshTokenForClientCredentialsGrant());
         boolean deviceEnabled = kcClient.getAttributes() != null && Boolean.parseBoolean(kcClient.getAttributes().get(OAUTH2_DEVICE_AUTHORIZATION_GRANT_ENABLED));
         Assert.assertEquals("Expected device: " + expectedDeviceGrant + " did not match.", expectedDeviceGrant, deviceEnabled);
+        Assert.assertEquals("Expected Token Exchange: " + expectedTokenExchange + " did not match.", expectedTokenExchange, config.isStandardTokenExchangeEnabled());
     }
 }