Initial commit for ID-JAG receiver, which receives ID-JAG and send back access token working as as a part of token endpoint

tnorimat · Yutaka Obuchi · commit 4e4e205dd047 · 2026-03-03T07:01:34.000+09:00
Signed-off-by: Yutaka Obuchi &lt;yutaka.obuchi.sd@hitachi.com&gt;
diff --git a/common/src/main/java/org/keycloak/common/Profile.java b/common/src/main/java/org/keycloak/common/Profile.java
@@ -162,6 +162,8 @@ public enum Feature {
 
         CIMD("OAuth Client ID Metadata Document", Type.EXPERIMENTAL),
 
+        IDENTITY_ASSERTION_JWT_VALIDATOR("Identity Assertion JWT validator", Type.EXPERIMENTAL),
+        
         /**
          * @see <a href="https://github.com/keycloak/keycloak/issues/37967">Deprecate for removal the Instagram social broker</a>.
          */
diff --git a/core/src/main/java/org/keycloak/OAuth2Constants.java b/core/src/main/java/org/keycloak/OAuth2Constants.java
@@ -80,6 +80,9 @@ public interface OAuth2Constants {
     String JWT_AUTHORIZATION_GRANT = "urn:ietf:params:oauth:grant-type:jwt-bearer";
     String ASSERTION = "assertion";
 
+    // https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/
+    String IDENTITY_ASSERTION_JWT_HEADER_TYPE = "oauth-id-jag+jwt";
+
     // https://tools.ietf.org/html/draft-ietf-oauth-assertions-01#page-5
     String CLIENT_ASSERTION_TYPE = "client_assertion_type";
     String CLIENT_ASSERTION = "client_assertion";
diff --git a/server-spi-private/src/main/java/org/keycloak/protocol/oidc/JWTAuthorizationGrantValidator.java b/server-spi-private/src/main/java/org/keycloak/protocol/oidc/JWTAuthorizationGrantValidator.java
@@ -0,0 +1,28 @@
+package org.keycloak.protocol.oidc;
+
+import java.util.List;
+
+import org.keycloak.provider.Provider;
+
+/**
+ * Provider interface to support pluggable validators of JWTAuthorizationGrant token.
+ * The pluggable validators are supposed to be provided for each JWT token type  
+ *
+ * @author <a href="mailto:yutaka.obuchi.sd@hitachi.com">Yutaka Obuchi</a>
+ */
+
+public interface JWTAuthorizationGrantValidator extends Provider, JWTAuthorizationGrantValidationContext{
+
+    public void validateClient();
+    
+    public void validateIssuer();
+    
+    public void validateSubject();
+    
+    public boolean validateTokenActive(int allowedClockSkew, int maxExp, boolean reusePermitted); 
+    
+    public boolean validateSignatureAlgorithm(String expectedSignatureAlg);
+    
+    public boolean validateTokenAudience(List<String> expectedAudiences, boolean multipleAudienceAllowed);
+    
+}
diff --git a/server-spi-private/src/main/java/org/keycloak/protocol/oidc/JWTAuthorizationGrantValidatorFactory.java b/server-spi-private/src/main/java/org/keycloak/protocol/oidc/JWTAuthorizationGrantValidatorFactory.java
@@ -0,0 +1,20 @@
+package org.keycloak.protocol.oidc;
+
+import org.keycloak.provider.ProviderFactory;
+
+/**
+ * Provider interface to support pluggable validators of JWTAuthorizationGrant token.
+ * The pluggable validators are supposed to be provided for each JWT token type.
+ *
+ * @author <a href="mailto:yutaka.obuchi.sd@hitachi.com">Yutaka Obuchi</a>
+ */
+
+public interface JWTAuthorizationGrantValidatorFactory extends ProviderFactory<JWTAuthorizationGrantValidator> {
+
+    /**
+     * @return usually like 3-letters shortcut of specific grants. It can be useful for example in the tokens when the amount of characters should be limited and hence using full grant name
+     * is not ideal. Shortcut should be unique across grants.
+     */
+    String getShortcut();
+    
+}
diff --git a/server-spi-private/src/main/java/org/keycloak/protocol/oidc/JWTAuthorizationGrantValidatorSpi.java b/server-spi-private/src/main/java/org/keycloak/protocol/oidc/JWTAuthorizationGrantValidatorSpi.java
@@ -0,0 +1,38 @@
+package org.keycloak.protocol.oidc;
+
+import org.keycloak.provider.Provider;
+import org.keycloak.provider.ProviderFactory;
+import org.keycloak.provider.Spi;
+
+/**
+ * <p>A {@link Spi} support pluggable validators of JWTAuthorizationGrant token
+ * The pluggable validators are supposed to be provided for each JWT token type
+ *
+ * @author <a href="mailto:yutaka.obuchi.sd@hitachi.com">Yutaka Obuchi</a>
+ */
+
+public class JWTAuthorizationGrantValidatorSpi implements Spi {
+
+    public static final String SPI_NAME = "jwt-authorization-grant-validator";
+
+    @Override
+    public boolean isInternal() {
+        return true;
+    }
+
+    @Override
+    public String getName() {
+        return SPI_NAME;
+    }
+
+    @Override
+    public Class<? extends Provider> getProviderClass() {
+        return JWTAuthorizationGrantValidator.class;
+    }
+
+    @Override
+    public Class<? extends ProviderFactory> getProviderFactoryClass() {
+        return JWTAuthorizationGrantValidatorFactory.class;
+    }
+
+}
diff --git a/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi b/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi
@@ -113,3 +113,4 @@ org.keycloak.models.workflow.WorkflowSpi
 org.keycloak.protocol.oidc.rar.AuthorizationDetailsProcessorSpi
 org.keycloak.cache.AlternativeLookupSPI
 org.keycloak.cache.LocalCacheSPI
+org.keycloak.protocol.oidc.JWTAuthorizationGrantValidatorSpi
diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/client/AbstractBaseJWTValidator.java b/services/src/main/java/org/keycloak/authentication/authenticators/client/AbstractBaseJWTValidator.java
@@ -37,7 +37,7 @@ public abstract class AbstractBaseJWTValidator {
 
     private static final Logger logger = Logger.getLogger(AbstractBaseJWTValidator.class);
 
-    protected final ClientAssertionState clientAssertionState;
+    protected ClientAssertionState clientAssertionState;
     protected final KeycloakSession session;
     protected final int currentTime;
 
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/jwtauthorization/JWTAuthorizationGrantType.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/jwtauthorization/JWTAuthorizationGrantType.java
@@ -15,27 +15,36 @@
  * limitations under the License.
  */
 
-package org.keycloak.protocol.oidc.grants;
+package org.keycloak.protocol.oidc.grants.jwtauthorization;
 
 import jakarta.ws.rs.core.Response;
 
 import org.keycloak.OAuth2Constants;
 import org.keycloak.OAuthErrorException;
+import org.keycloak.authentication.authenticators.client.ClientAssertionState;
 import org.keycloak.broker.provider.BrokeredIdentityContext;
 import org.keycloak.broker.provider.JWTAuthorizationGrantProvider;
 import org.keycloak.cache.AlternativeLookupProvider;
 import org.keycloak.events.Details;
 import org.keycloak.events.Errors;
 import org.keycloak.events.EventType;
+import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.ClientSessionContext;
 import org.keycloak.models.FederatedIdentityModel;
 import org.keycloak.models.IdentityProviderModel;
+import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserSessionModel;
+import org.keycloak.protocol.oidc.JWTAuthorizationGrantValidator;
 import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
 import org.keycloak.protocol.oidc.OIDCLoginProtocol;
 import org.keycloak.protocol.oidc.TokenManager;
+import org.keycloak.protocol.oidc.grants.OAuth2GrantTypeBase;
+import org.keycloak.protocol.oidc.grants.jwtauthorization.validator.DefaultJWTAuthorizationGrantValidator;
+import org.keycloak.protocol.oidc.grants.jwtauthorization.validator.JWTAuthorizationGrantValidatorBase;
+import org.keycloak.representations.JsonWebToken;
 import org.keycloak.services.CorsErrorResponseException;
 import org.keycloak.services.Urls;
 import org.keycloak.services.clientpolicy.ClientPolicyException;
@@ -56,8 +65,38 @@ public Response process(Context context) {
 
         try {
 
-            JWTAuthorizationGrantValidator authorizationGrantContext = JWTAuthorizationGrantValidator.createValidator(
+            if (assertion == null) {
+                throw new IllegalArgumentException("Missing parameter:" + OAuth2Constants.ASSERTION);
+            }
+            
+            JWSInput jws;
+            try {
+                jws = new JWSInput(assertion);
+            } catch (JWSInputException e) {
+                throw new RuntimeException("The provided assertion is not a valid JWT");
+            }
+
+            String jwtTokenType = jws.getHeader().getType();
+            JWTAuthorizationGrantValidatorBase authorizationGrantContext = 
+                            (JWTAuthorizationGrantValidatorBase) session.getProvider(JWTAuthorizationGrantValidator.class, jwtTokenType);            
+            if( authorizationGrantContext == null){
+                authorizationGrantContext = createDefaultValidator(
                     context.getSession(), client, assertion, formParams.getFirst(OAuth2Constants.SCOPE));
+            } else {
+                JsonWebToken jwt;
+                try {
+                    jwt = jws.readJsonContent(JsonWebToken.class);
+                } catch (JWSInputException e) {
+                throw new RuntimeException("The provided assertion is not a valid JWT");
+                }
+
+                ClientAssertionState clientAssertionState = new ClientAssertionState(OAuth2Constants.JWT_AUTHORIZATION_GRANT, assertion, jws, jwt);
+                clientAssertionState.setClient(client);
+
+                authorizationGrantContext.setClientAssertionState(clientAssertionState);
+                authorizationGrantContext.setScopeParam(formParams.getFirst(OAuth2Constants.SCOPE));
+            }
+            
             event.detail(Details.IDENTITY_PROVIDER_ISSUER, authorizationGrantContext.getIssuer());
             event.detail(Details.IDENTITY_PROVIDER_USER_ID, authorizationGrantContext.getSubject());
 
@@ -166,6 +205,10 @@ protected AuthenticationSessionModel createSessionModel(RootAuthenticationSessio
         return authSession;
     }
 
+    protected JWTAuthorizationGrantValidatorBase createDefaultValidator(KeycloakSession session, ClientModel client, String assertion, String scope) {
+        return DefaultJWTAuthorizationGrantValidator.createValidator(session, client, assertion, scope);
+    }
+
     @Override
     protected boolean useRefreshToken() {
         return false; // jwt auth grant never generates the refresh token
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/jwtauthorization/JWTAuthorizationGrantTypeFactory.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/jwtauthorization/JWTAuthorizationGrantTypeFactory.java
@@ -15,14 +15,16 @@
  * limitations under the License.
  */
 
-package org.keycloak.protocol.oidc.grants;
+package org.keycloak.protocol.oidc.grants.jwtauthorization;
 
 
 import org.keycloak.Config;
 import org.keycloak.OAuth2Constants;
 import org.keycloak.common.Profile;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.protocol.oidc.grants.OAuth2GrantType;
+import org.keycloak.protocol.oidc.grants.OAuth2GrantTypeFactory;
 import org.keycloak.provider.EnvironmentDependentProviderFactory;
 
 public class JWTAuthorizationGrantTypeFactory implements OAuth2GrantTypeFactory, EnvironmentDependentProviderFactory {
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/jwtauthorization/validator/DefaultJWTAuthorizationGrantValidator.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/jwtauthorization/validator/DefaultJWTAuthorizationGrantValidator.java
@@ -0,0 +1,34 @@
+package org.keycloak.protocol.oidc.grants.jwtauthorization.validator;
+
+import org.keycloak.OAuth2Constants;
+import org.keycloak.authentication.authenticators.client.ClientAssertionState;
+import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.representations.JsonWebToken;
+
+public class DefaultJWTAuthorizationGrantValidator extends JWTAuthorizationGrantValidatorBase {
+
+    public static DefaultJWTAuthorizationGrantValidator createValidator(KeycloakSession session, ClientModel client, String assertion, String scope) {
+        if (assertion == null) {
+            throw new IllegalArgumentException("Missing parameter:" + OAuth2Constants.ASSERTION);
+        }
+        try {
+            JWSInput jws = new JWSInput(assertion);
+            JsonWebToken jwt = jws.readJsonContent(JsonWebToken.class);
+            ClientAssertionState clientAssertionState = new ClientAssertionState(OAuth2Constants.JWT_AUTHORIZATION_GRANT, assertion, jws, jwt);
+            clientAssertionState.setClient(client);
+            return new DefaultJWTAuthorizationGrantValidator(session, scope, clientAssertionState);
+        } catch (JWSInputException e) {
+            throw new RuntimeException("The provided assertion is not a valid JWT");
+        }
+    }
+
+    private DefaultJWTAuthorizationGrantValidator(KeycloakSession session, String scope, ClientAssertionState clientAssertionState) {
+        super(session, clientAssertionState);
+        this.scope = scope;
+        this.audienceAlreadyValidated = false;
+    }
+
+}
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/jwtauthorization/validator/IDJWTAuthorizationGrantValidator.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/jwtauthorization/validator/IDJWTAuthorizationGrantValidator.java
@@ -0,0 +1,45 @@
+package org.keycloak.protocol.oidc.grants.jwtauthorization.validator;
+
+import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.representations.AccessToken;
+
+import org.jboss.logging.Logger;
+
+/**
+ * a JWT validator for Identity Assertion JWT Authorization Grant (ID-JAG).
+ * Identity Assertion JWT is a new type of JWT that can be used as an authorization grant per RFC 7523.
+ *  
+ * https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/
+ *
+ * @author <a href="mailto:yutaka.obuchi.sd@hitachi.com">Yutaka Obuchi</a>
+ */
+public class IDJWTAuthorizationGrantValidator extends JWTAuthorizationGrantValidatorBase {
+
+    private static final Logger logger = Logger.getLogger(IDJWTAuthorizationGrantValidator.class);
+
+    public IDJWTAuthorizationGrantValidator(KeycloakSession session) {
+        super(session);
+    }
+
+    public void validateClient() {
+        super.validateClient();
+
+        try {
+            JWSInput jws = clientAssertionState.getJws();
+            AccessToken accessToken = jws.readJsonContent(AccessToken.class);
+            String clientIdInToken = (String) accessToken.getOtherClaims().get("client_id");
+            String clientIdInRequestHeaderOrBody = session.getContext().getClient().getClientId();
+            if (clientIdInToken == null || !clientIdInRequestHeaderOrBody.equals(clientIdInToken)) {
+                logger.warn("client id in assertion : " + clientIdInToken + " and client id in request header/body : " + clientIdInRequestHeaderOrBody);
+                failureCallback("client id in assertion : " + clientIdInToken + " and client id in request header/body : " + clientIdInRequestHeaderOrBody);
+                return;
+            }
+        } catch (JWSInputException e) {
+            failureCallback("The provided assertion is not a valid JWT");
+            return;
+        }
+    }
+
+}
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/jwtauthorization/validator/IDJWTAuthorizationGrantValidatorFactory.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/jwtauthorization/validator/IDJWTAuthorizationGrantValidatorFactory.java
@@ -0,0 +1,45 @@
+package org.keycloak.protocol.oidc.grants.jwtauthorization.validator;
+
+import org.keycloak.Config;
+import org.keycloak.OAuth2Constants;
+import org.keycloak.common.Profile;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.protocol.oidc.JWTAuthorizationGrantValidator;
+import org.keycloak.protocol.oidc.JWTAuthorizationGrantValidatorFactory;
+import org.keycloak.provider.EnvironmentDependentProviderFactory;
+
+public class IDJWTAuthorizationGrantValidatorFactory implements JWTAuthorizationGrantValidatorFactory, EnvironmentDependentProviderFactory {
+
+    @Override
+    public String getId() {
+        return OAuth2Constants.IDENTITY_ASSERTION_JWT_HEADER_TYPE;
+    }
+
+    @Override
+    public String getShortcut() {
+        return "idjag";
+    }
+
+    @Override
+    public JWTAuthorizationGrantValidator create(KeycloakSession session) {
+        return new IDJWTAuthorizationGrantValidator(session);
+    }
+
+    @Override
+    public void init(Config.Scope config) {
+    }
+
+    @Override
+    public void postInit(KeycloakSessionFactory factory) {
+    }
+
+    @Override
+    public void close() {
+    }
+
+    @Override
+    public boolean isSupported(Config.Scope config) {
+        return Profile.isFeatureEnabled(Profile.Feature.IDENTITY_ASSERTION_JWT_VALIDATOR);
+    }
+}
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/jwtauthorization/validator/JWTAuthorizationGrantValidatorBase.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/jwtauthorization/validator/JWTAuthorizationGrantValidatorBase.java
diff --git a/services/src/main/resources/META-INF/services/org.keycloak.protocol.oidc.JWTAuthorizationGrantValidatorFactory b/services/src/main/resources/META-INF/services/org.keycloak.protocol.oidc.JWTAuthorizationGrantValidatorFactory
diff --git a/services/src/main/resources/META-INF/services/org.keycloak.protocol.oidc.grants.OAuth2GrantTypeFactory b/services/src/main/resources/META-INF/services/org.keycloak.protocol.oidc.grants.OAuth2GrantTypeFactory
diff --git a/test-framework/oauth/src/main/java/org/keycloak/testframework/oauth/OAuthIdentityProvider.java b/test-framework/oauth/src/main/java/org/keycloak/testframework/oauth/OAuthIdentityProvider.java
diff --git a/tests/base/src/test/java/org/keycloak/tests/oauth/IDJWTAuthorizationGrantTest.java b/tests/base/src/test/java/org/keycloak/tests/oauth/IDJWTAuthorizationGrantTest.java
