Update default requested token-type and add switch for refresh token

rmartinc · mposolda · commit c15a24f44715 · 2025-02-25T10:08:56.000+01:00
Closes #37115

Signed-off-by: rmartinc &lt;rmartinc@redhat.com&gt;
diff --git a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
@@ -449,6 +449,7 @@ detailsHelp=This is information about the details.
 adminEvents=Admin events
 serviceAccountHelp=Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client. In terms of OAuth2 specification, this enables support of 'Client Credentials Grant' for this client.
 standardTokenExchangeEnabledHelp=Enable Standard Token Exchange V2 for this client.
+enableRefreshRequestedTokenTypeHelp=If property is on, Standard Token Exchange V2 allows the urn:ietf:params:oauth:token-type:refresh_token value for the requested_token_type parameter and returns a refresh_token in the response. If it is off, an error is returned for that requested_token_type.
 urisHelp=Set of URIs which are protected by resource.
 eventTypes.IDENTITY_PROVIDER_RESPONSE.name=Identity provider response
 confirmClientSecretTitle=Regenerate secret for this client?
@@ -1114,6 +1115,7 @@ webAuthnPolicyRpId=Relying party ID
 ldapRolesDnHelp=LDAP DN where roles of this tree are saved. For example, 'ou\=finance,dc\=example,dc\=org'.
 serviceAccount=Service accounts roles
 standardTokenExchangeEnabled=Standard Token Exchange
+enableRefreshRequestedTokenType=Allow refresh token in Standard Token Exchange
 providerUpdatedSuccess=Client policy updated successfully
 assertionConsumerServiceRedirectBindingURL=Assertion Consumer Service Redirect Binding URL
 createClientScopeError=Could not create client scope\: '{{error}}'
diff --git a/js/apps/admin-ui/src/clients/advanced/OpenIdConnectCompatibilityModes.tsx b/js/apps/admin-ui/src/clients/advanced/OpenIdConnectCompatibilityModes.tsx
@@ -6,6 +6,7 @@ import { FormAccess } from "../../components/form/FormAccess";
 import { HelpItem } from "@keycloak/keycloak-ui-shared";
 import { convertAttributeNameToForm } from "../../util";
 import { FormFields } from "../ClientDetails";
+import useIsFeatureEnabled, { Feature } from "../../utils/useIsFeatureEnabled";
 
 type OpenIdConnectCompatibilityModesProps = {
   save: () => void;
@@ -19,7 +20,16 @@ export const OpenIdConnectCompatibilityModes = ({
   hasConfigureAccess,
 }: OpenIdConnectCompatibilityModesProps) => {
   const { t } = useTranslation();
-  const { control } = useFormContext();
+  const { control, watch } = useFormContext();
+  const isFeatureEnabled = useIsFeatureEnabled();
+  const tokenExchangeEnabled = watch(
+    convertAttributeNameToForm<FormFields>(
+      "attributes.standard.token.exchange.enabled",
+    ),
+  );
+  const useRefreshTokens = watch(
+    convertAttributeNameToForm<FormFields>("attributes.use.refresh.tokens"),
+  );
   return (
     <FormAccess
       role="manage-clients"
@@ -171,6 +181,46 @@ export const OpenIdConnectCompatibilityModes = ({
           )}
         />
       </FormGroup>
+
+      {isFeatureEnabled(Feature.StandardTokenExchangeV2) && (
+        <FormGroup
+          label={t("enableRefreshRequestedTokenType")}
+          fieldId="enableRefreshRequestedTokenType"
+          hasNoPaddingTop
+          labelIcon={
+            <HelpItem
+              helpText={t("enableRefreshRequestedTokenTypeHelp")}
+              fieldLabelId="enableRefreshRequestedTokenType"
+            />
+          }
+        >
+          <Controller
+            name={convertAttributeNameToForm<FormFields>(
+              "attributes.standard.token.exchange.enableRefreshRequestedTokenType",
+            )}
+            defaultValue="false"
+            control={control}
+            render={({ field }) => (
+              <Switch
+                id="enableRefreshRequestedTokenType"
+                label={t("on")}
+                labelOff={t("off")}
+                isChecked={
+                  field.value === "true" &&
+                  tokenExchangeEnabled?.toString() === "true" &&
+                  useRefreshTokens?.toString() === "true"
+                }
+                onChange={(_event, value) => field.onChange(value.toString())}
+                aria-label={t("enableRefreshRequestedTokenType")}
+                isDisabled={
+                  tokenExchangeEnabled?.toString() !== "true" ||
+                  useRefreshTokens?.toString() !== "true"
+                }
+              />
+            )}
+          />
+        </FormGroup>
+      )}
       <ActionGroup>
         <Button
           variant="secondary"
diff --git a/server-spi-private/src/main/java/org/keycloak/protocol/oidc/OIDCConfigAttributes.java b/server-spi-private/src/main/java/org/keycloak/protocol/oidc/OIDCConfigAttributes.java
@@ -88,6 +88,7 @@ public final class OIDCConfigAttributes {
     public static final String POST_LOGOUT_REDIRECT_URIS = "post.logout.redirect.uris";
     
     public static final String STANDARD_TOKEN_EXCHANGE_ENABLED = "standard.token.exchange.enabled";
+    public static final String STANDARD_TOKEN_EXCHANGE_REFRESH_ENABLED = "standard.token.exchange.enableRefreshRequestedTokenType";
 
     private OIDCConfigAttributes() {
     }
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCAdvancedConfigWrapper.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCAdvancedConfigWrapper.java
@@ -240,6 +240,14 @@ public void setStandardTokenExchangeEnabled(boolean enable) {
         setAttribute(OIDCConfigAttributes.STANDARD_TOKEN_EXCHANGE_ENABLED, val);
     }
 
+    public boolean isStandardTokenExchangeRefreshEnabled() {
+        return Boolean.parseBoolean(getAttribute(OIDCConfigAttributes.STANDARD_TOKEN_EXCHANGE_REFRESH_ENABLED));
+    }
+
+    public void setStandardTokenExchangeRefreshEnabled(boolean enable) {
+        setAttribute(OIDCConfigAttributes.STANDARD_TOKEN_EXCHANGE_REFRESH_ENABLED, String.valueOf(enable));
+    }
+
     public String getTlsClientAuthSubjectDn() {
         return getAttribute(X509ClientAuthenticator.ATTR_SUBJECT_DN);
      }
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/tokenexchange/AbstractTokenExchangeProvider.java b/services/src/main/java/org/keycloak/protocol/oidc/tokenexchange/AbstractTokenExchangeProvider.java
@@ -210,14 +210,17 @@ protected String getRequestedTokenType() {
         String requestedTokenType = formParams.getFirst(OAuth2Constants.REQUESTED_TOKEN_TYPE);
         if (requestedTokenType == null) {
             requestedTokenType = OAuth2Constants.REFRESH_TOKEN_TYPE;
-        } else if (!requestedTokenType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE) &&
-                !requestedTokenType.equals(OAuth2Constants.REFRESH_TOKEN_TYPE) &&
-                !requestedTokenType.equals(OAuth2Constants.SAML2_TOKEN_TYPE)) {
-            event.detail(Details.REASON, "requested_token_type unsupported");
-            event.error(Errors.INVALID_REQUEST);
-            throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST);
-        }
-        return requestedTokenType;
+            return requestedTokenType;
+        }
+        if (requestedTokenType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE)
+                || requestedTokenType.equals(OAuth2Constants.REFRESH_TOKEN_TYPE)
+                || requestedTokenType.equals(OAuth2Constants.SAML2_TOKEN_TYPE)) {
+            return requestedTokenType;
+        }
+
+        event.detail(Details.REASON, "requested_token_type unsupported");
+        event.error(Errors.INVALID_REQUEST);
+        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST);
     }
 
     protected List<ClientModel> getTargetAudienceClients() {
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/tokenexchange/StandardTokenExchangeProvider.java b/services/src/main/java/org/keycloak/protocol/oidc/tokenexchange/StandardTokenExchangeProvider.java
@@ -27,6 +27,7 @@
 import java.util.List;
 import java.util.Set;
 import java.util.StringJoiner;
+import java.util.stream.Collectors;
 import org.keycloak.OAuth2Constants;
 import org.keycloak.OAuthErrorException;
 import org.keycloak.common.ClientConnection;
@@ -205,15 +206,26 @@ protected Response exchangeClientToOIDCClient(UserModel targetUser, UserSessionM
         AuthenticationSessionModel authSession = createSessionModel(targetUserSession, rootAuthSession, targetUser, client, scope);
 
         if (targetUserSession == null) {
-            // if no session is associated with a subject_token, a transient session is created to only allow building a token to the audience
+            // if no session is associated with a subject_token, a new session will be created, only persistent if refresh token type requested
             targetUserSession = new UserSessionManager(session).createUserSession(authSession.getParentSession().getId(), realm, targetUser, targetUser.getUsername(),
-                    clientConnection.getRemoteAddr(), ServiceAccountConstants.CLIENT_AUTH, false, null, null, UserSessionModel.SessionPersistenceState.TRANSIENT);
+                    clientConnection.getRemoteAddr(), ServiceAccountConstants.CLIENT_AUTH, false, null, null,
+                    requestedTokenType.equals(OAuth2Constants.REFRESH_TOKEN_TYPE)
+                            ? UserSessionModel.SessionPersistenceState.PERSISTENT
+                            : UserSessionModel.SessionPersistenceState.TRANSIENT);
         }
 
         event.session(targetUserSession);
 
         ClientSessionContext clientSessionCtx = TokenManager.attachAuthenticationSession(this.session, targetUserSession, authSession);
 
+        if (requestedTokenType.equals(OAuth2Constants.REFRESH_TOKEN_TYPE)
+                && clientSessionCtx.getClientScopesStream().filter(s -> OAuth2Constants.OFFLINE_ACCESS.equals(s.getName())).findAny().isPresent()) {
+            event.detail(Details.REASON, "Scope offline_access not allowed for token exchange");
+            event.error(Errors.INVALID_REQUEST);
+            throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST,
+                    "Scope offline_access not allowed for token exchange", Response.Status.BAD_REQUEST);
+        }
+
         updateUserSessionFromClientAuth(targetUserSession);
 
         if (params.getAudience() != null && !targetAudienceClients.isEmpty()) {
@@ -231,20 +243,12 @@ protected Response exchangeClientToOIDCClient(UserModel targetUser, UserSessionM
             responseBuilder.getAccessToken().setSessionId(null);
         }
 
-        String issuedTokenType;
-        if (requestedTokenType.equals(OAuth2Constants.ID_TOKEN_TYPE)) {
-            issuedTokenType = OAuth2Constants.ID_TOKEN_TYPE;
-        } else if (requestedTokenType.equals(OAuth2Constants.REFRESH_TOKEN_TYPE)
-                && OIDCAdvancedConfigWrapper.fromClientModel(client).isUseRefreshToken()
-                && targetUserSession.getPersistenceState() != UserSessionModel.SessionPersistenceState.TRANSIENT) {
+        if (OAuth2Constants.REFRESH_TOKEN_TYPE.equals(requestedTokenType)) {
             responseBuilder.generateRefreshToken();
-            issuedTokenType = OAuth2Constants.REFRESH_TOKEN_TYPE;
-        } else {
-            issuedTokenType = OAuth2Constants.ACCESS_TOKEN_TYPE;
         }
 
         AccessTokenResponse res;
-        if (OAuth2Constants.ID_TOKEN_TYPE.equals(issuedTokenType)) {
+        if (OAuth2Constants.ID_TOKEN_TYPE.equals(requestedTokenType)) {
             // Using the id-token inside "access_token" parameter as per description of "access_token" parameter under https://datatracker.ietf.org/doc/html/rfc8693#name-successful-response
             res = responseBuilder.generateIDToken().build();
             res.setToken(res.getIdToken());
@@ -258,7 +262,7 @@ protected Response exchangeClientToOIDCClient(UserModel targetUser, UserSessionM
             res = responseBuilder.build();
         }
 
-        res.setOtherClaims(OAuth2Constants.ISSUED_TOKEN_TYPE, issuedTokenType);
+        res.setOtherClaims(OAuth2Constants.ISSUED_TOKEN_TYPE, requestedTokenType);
 
         if (responseBuilder.getAccessToken().getAudience() != null) {
             StringJoiner joiner = new StringJoiner(" ");
@@ -306,15 +310,22 @@ protected List<String> getSupportedOAuthResponseTokenTypes() {
     protected String getRequestedTokenType() {
         String requestedTokenType = params.getRequestedTokenType();
         if (requestedTokenType == null) {
-            requestedTokenType = OAuth2Constants.REFRESH_TOKEN_TYPE; // TODO: Refresh token should not be the default one and should be supported just if enabled by the switch
-        } else if (!requestedTokenType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE) &&
-                !requestedTokenType.equals(OAuth2Constants.REFRESH_TOKEN_TYPE) &&
-                !requestedTokenType.equals(OAuth2Constants.ID_TOKEN_TYPE) &&
-                !requestedTokenType.equals(OAuth2Constants.SAML2_TOKEN_TYPE)) {
-            event.detail(Details.REASON, "requested_token_type unsupported");
-            event.error(Errors.INVALID_REQUEST);
-            throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST);
+            requestedTokenType = OAuth2Constants.ACCESS_TOKEN_TYPE;
+            return requestedTokenType;
+        }
+        if (requestedTokenType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE)
+                || requestedTokenType.equals(OAuth2Constants.ID_TOKEN_TYPE)
+                || requestedTokenType.equals(OAuth2Constants.SAML2_TOKEN_TYPE)) {
+            return requestedTokenType;
         }
-        return requestedTokenType;
+        OIDCAdvancedConfigWrapper oidcClient = OIDCAdvancedConfigWrapper.fromClientModel(client);
+        if (requestedTokenType.equals(OAuth2Constants.REFRESH_TOKEN_TYPE)
+                && oidcClient.isUseRefreshToken() && oidcClient.isStandardTokenExchangeRefreshEnabled()) {
+            return requestedTokenType;
+        }
+
+        event.detail(Details.REASON, "requested_token_type unsupported");
+        event.error(Errors.INVALID_REQUEST);
+        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST);
     }
 }
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/tokenexchange/StandardTokenExchangeV2Test.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/tokenexchange/StandardTokenExchangeV2Test.java
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/token-exchange/testrealm-token-exchange-v2.json b/testsuite/integration-arquillian/tests/base/src/test/resources/token-exchange/testrealm-token-exchange-v2.json

Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,7 @@ public final class OIDCConfigAttributes {`
`88`	`88`	`public static final String POST_LOGOUT_REDIRECT_URIS = "post.logout.redirect.uris";`
`89`	`89`
`90`	`90`	`public static final String STANDARD_TOKEN_EXCHANGE_ENABLED = "standard.token.exchange.enabled";`
	`91`	`+ public static final String STANDARD_TOKEN_EXCHANGE_REFRESH_ENABLED = "standard.token.exchange.enableRefreshRequestedTokenType";`
`91`	`92`
`92`	`93`	`private OIDCConfigAttributes() {`
`93`	`94`	`}`
Original file line number	Diff line number	Diff line change
`@@ -240,6 +240,14 @@ public void setStandardTokenExchangeEnabled(boolean enable) {`
`240`	`240`	`setAttribute(OIDCConfigAttributes.STANDARD_TOKEN_EXCHANGE_ENABLED, val);`
`241`	`241`	`}`
`242`	`242`
	`243`	`+ public boolean isStandardTokenExchangeRefreshEnabled() {`
	`244`	`+ return Boolean.parseBoolean(getAttribute(OIDCConfigAttributes.STANDARD_TOKEN_EXCHANGE_REFRESH_ENABLED));`
	`245`	`+ }`
	`246`	`+`
	`247`	`+ public void setStandardTokenExchangeRefreshEnabled(boolean enable) {`
	`248`	`+ setAttribute(OIDCConfigAttributes.STANDARD_TOKEN_EXCHANGE_REFRESH_ENABLED, String.valueOf(enable));`
	`249`	`+ }`
	`250`	`+`
`243`	`251`	`public String getTlsClientAuthSubjectDn() {`
`244`	`252`	`return getAttribute(X509ClientAuthenticator.ATTR_SUBJECT_DN);`
`245`	`253`	`}`