KEYCLOAK-15270 Account REST API doesn't verify audience

examples/providers/domain-extension/src/main/java/org/keycloak/examples/domainextension/rest/ExampleRestResource.java

@@ -15,7 +15,7 @@ public class ExampleRestResource {
 
 	public ExampleRestResource(KeycloakSession session) {
 		this.session = session;
-        this.auth = new AppAuthManager().authenticateBearerToken(session, session.getContext().getRealm());
+        this.auth = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
 	}
 
     @Path("companies")

services/src/main/java/org/keycloak/authorization/util/Tokens.java

@@ -30,9 +30,7 @@
 public class Tokens {
 
     public static AccessToken getAccessToken(KeycloakSession keycloakSession) {
-        AppAuthManager authManager = new AppAuthManager();
-        KeycloakContext context = keycloakSession.getContext();
-        AuthResult authResult = authManager.authenticateBearerToken(keycloakSession, context.getRealm(), context.getUri(), context.getConnection(), context.getRequestHeaders());
+        AuthResult authResult = new AppAuthManager.BearerTokenAuthenticator(keycloakSession).authenticate();
 
         if (authResult != null) {
             return authResult.getToken();
@@ -42,9 +40,9 @@ public static AccessToken getAccessToken(KeycloakSession keycloakSession) {
     }
 
     public static AccessToken getAccessToken(String accessToken, KeycloakSession keycloakSession) {
-        AppAuthManager authManager = new AppAuthManager();
-        KeycloakContext context = keycloakSession.getContext();
-        AuthResult authResult = authManager.authenticateBearerToken(accessToken, keycloakSession, context.getRealm(), context.getUri(), context.getConnection(), context.getRequestHeaders());
+        AuthResult authResult = new AppAuthManager.BearerTokenAuthenticator(keycloakSession)
+                .setTokenString(accessToken)
+                .authenticate();
 
         if (authResult != null) {
             return authResult.getToken();

services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java

@@ -84,7 +84,6 @@
 import org.keycloak.services.ServicesLogger;
 import org.keycloak.services.Urls;
 import org.keycloak.services.clientpolicy.ClientPolicyException;
-import org.keycloak.services.clientpolicy.DefaultClientPolicyManager;
 import org.keycloak.services.clientpolicy.TokenRefreshContext;
 import org.keycloak.services.clientpolicy.TokenRequestContext;
 import org.keycloak.services.managers.AppAuthManager;
@@ -797,7 +796,7 @@ public Response tokenExchange() {
 
             }
 
-            AuthenticationManager.AuthResult authResult = AuthenticationManager.verifyIdentityToken(session, realm, session.getContext().getUri(), clientConnection, true, true, false, subjectToken, headers);
+            AuthenticationManager.AuthResult authResult = AuthenticationManager.verifyIdentityToken(session, realm, session.getContext().getUri(), clientConnection, true, true, null, false, subjectToken, headers);
             if (authResult == null) {
                 event.detail(Details.REASON, "subject_token validation failure");
                 event.error(Errors.INVALID_TOKEN);

services/src/main/java/org/keycloak/services/managers/AppAuthManager.java

@@ -53,7 +53,7 @@ public AuthResult authenticateIdentityCookie(KeycloakSession session, RealmModel
      *
      * @return the token string or {@literal null}
      */
-    private String extractTokenStringFromAuthHeader(String authHeader) {
+    private static String extractTokenStringFromAuthHeader(String authHeader) {
 
         if (authHeader == null) {
             return null;
@@ -83,7 +83,7 @@ private String extractTokenStringFromAuthHeader(String authHeader) {
      * @param headers
      * @return the token string or {@literal null} if the Authorization header is not of type Bearer, or the token string is missing.
      */
-    public String extractAuthorizationHeaderTokenOrReturnNull(HttpHeaders headers) {
+    public static String extractAuthorizationHeaderTokenOrReturnNull(HttpHeaders headers) {
         String authHeader = headers.getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION);
         return extractTokenStringFromAuthHeader(authHeader);
     }
@@ -95,7 +95,7 @@ public String extractAuthorizationHeaderTokenOrReturnNull(HttpHeaders headers) {
      * @return the token string or {@literal null} of the Authorization header is missing
      * @throws  NotAuthorizedException if the Authorization header is not of type Bearer, or the token string is missing.
      */
-    public String extractAuthorizationHeaderToken(HttpHeaders headers) {
+    public static String extractAuthorizationHeaderToken(HttpHeaders headers) {
         String authHeader = headers.getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION);
         if (authHeader == null) {
             return null;
@@ -107,23 +107,65 @@ public String extractAuthorizationHeaderToken(HttpHeaders headers) {
         return tokenString;
     }
 
-    public AuthResult authenticateBearerToken(KeycloakSession session, RealmModel realm) {
-        KeycloakContext ctx = session.getContext();
-        return authenticateBearerToken(session, realm, ctx.getUri(), ctx.getConnection(), ctx.getRequestHeaders());
-    }
+    public static class BearerTokenAuthenticator {
+        private KeycloakSession session;
+        private RealmModel realm;
+        private UriInfo uriInfo;
+        private ClientConnection connection;
+        private HttpHeaders headers;
+        private String tokenString;
+        private String audience;
+
+        public BearerTokenAuthenticator(KeycloakSession session) {
+            this.session = session;
+        }
 
-    public AuthResult authenticateBearerToken(KeycloakSession session) {
-        return authenticateBearerToken(session, session.getContext().getRealm(), session.getContext().getUri(), session.getContext().getConnection(), session.getContext().getRequestHeaders());
-    }
+        public BearerTokenAuthenticator setSession(KeycloakSession session) {
+            this.session = session;
+            return this;
+        }
 
-    public AuthResult authenticateBearerToken(KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers) {
-        return authenticateBearerToken(extractAuthorizationHeaderToken(headers), session, realm, uriInfo, connection, headers);
-    }
+        public BearerTokenAuthenticator setRealm(RealmModel realm) {
+            this.realm = realm;
+            return this;
+        }
 
-    public AuthResult authenticateBearerToken(String tokenString, KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, HttpHeaders headers) {
-        if (tokenString == null) return null;
-        AuthResult authResult = verifyIdentityToken(session, realm, uriInfo, connection, true, true, false, tokenString, headers);
-        return authResult;
+        public BearerTokenAuthenticator setUriInfo(UriInfo uriInfo) {
+            this.uriInfo = uriInfo;
+            return this;
+        }
+
+        public BearerTokenAuthenticator setConnection(ClientConnection connection) {
+            this.connection = connection;
+            return this;
+        }
+
+        public BearerTokenAuthenticator setHeaders(HttpHeaders headers) {
+            this.headers = headers;
+            return this;
+        }
+
+        public BearerTokenAuthenticator setTokenString(String tokenString) {
+            this.tokenString = tokenString;
+            return this;
+        }
+
+        public BearerTokenAuthenticator setAudience(String audience) {
+            this.audience = audience;
+            return this;
+        }
+
+        public AuthResult authenticate() {
+            KeycloakContext ctx = session.getContext();
+            if (realm == null) realm = ctx.getRealm();
+            if (uriInfo == null) uriInfo = ctx.getUri();
+            if (connection == null) connection = ctx.getConnection();
+            if (headers == null) headers = ctx.getRequestHeaders();
+            if (tokenString == null) tokenString = extractAuthorizationHeaderToken(headers);
+            // audience can be null
+
+            return verifyIdentityToken(session, realm, uriInfo, connection, true, true, audience, false, tokenString, headers);
+        }
     }
 
 }

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

@@ -779,7 +779,7 @@ public static AuthResult authenticateIdentityCookie(KeycloakSession session, Rea
         }
 
         String tokenString = cookie.getValue();
-        AuthResult authResult = verifyIdentityToken(session, realm, session.getContext().getUri(), session.getContext().getConnection(), checkActive, false, true, tokenString, session.getContext().getRequestHeaders(), VALIDATE_IDENTITY_COOKIE);
+        AuthResult authResult = verifyIdentityToken(session, realm, session.getContext().getUri(), session.getContext().getConnection(), checkActive, false, null, true, tokenString, session.getContext().getRequestHeaders(), VALIDATE_IDENTITY_COOKIE);
         if (authResult == null) {
             expireIdentityCookie(realm, session.getContext().getUri(), session.getContext().getConnection());
             expireOldIdentityCookie(realm, session.getContext().getUri(), session.getContext().getConnection());
@@ -1261,14 +1261,19 @@ public void ignore() {
     }
 
     public static AuthResult verifyIdentityToken(KeycloakSession session, RealmModel realm, UriInfo uriInfo, ClientConnection connection, boolean checkActive, boolean checkTokenType,
-                                                    boolean isCookie, String tokenString, HttpHeaders headers, Predicate<? super AccessToken>... additionalChecks) {
+                                                 String checkAudience, boolean isCookie, String tokenString, HttpHeaders headers, Predicate<? super AccessToken>... additionalChecks) {
         try {
             TokenVerifier<AccessToken> verifier = TokenVerifier.create(tokenString, AccessToken.class)
               .withDefaultChecks()
               .realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()))
               .checkActive(checkActive)
               .checkTokenType(checkTokenType)
               .withChecks(additionalChecks);
+
+            if (checkAudience != null) {
+                verifier.audience(checkAudience);
+            }
+
             String kid = verifier.getHeader().getKeyId();
             String algorithm = verifier.getHeader().getAlgorithm().name();
 

services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java

@@ -448,8 +448,11 @@ private Response getToken(String providerId, boolean forceRetrieval) {
         this.event.event(EventType.IDENTITY_PROVIDER_RETRIEVE_TOKEN);
 
         try {
-            AppAuthManager authManager = new AppAuthManager();
-            AuthenticationManager.AuthResult authResult = authManager.authenticateBearerToken(this.session, this.realmModel, this.session.getContext().getUri(), this.clientConnection, this.request.getHttpHeaders());
+            AuthenticationManager.AuthResult authResult = new AppAuthManager.BearerTokenAuthenticator(session)
+                    .setRealm(realmModel)
+                    .setConnection(clientConnection)
+                    .setHeaders(request.getHttpHeaders())
+                    .authenticate();
 
             if (authResult != null) {
                 AccessToken token = authResult.getToken();

services/src/main/java/org/keycloak/services/resources/account/AccountLoader.java

@@ -114,7 +114,10 @@ private boolean isDeprecatedFormsAccountConsole(Theme theme) {
     }
 
     private AccountRestService getAccountRestService(ClientModel client, String versionStr) {
-        AuthenticationManager.AuthResult authResult = new AppAuthManager().authenticateBearerToken(session);
+        AuthenticationManager.AuthResult authResult = new AppAuthManager.BearerTokenAuthenticator(session)
+                .setAudience(client.getClientId())
+                .authenticate();
+
         if (authResult == null) {
             throw new NotAuthorizedException("Bearer token required");
         }

services/src/main/java/org/keycloak/services/resources/admin/AdminConsole.java

@@ -87,12 +87,10 @@ public class AdminConsole {
     @Context
     protected Providers providers;
 
-    protected AppAuthManager authManager;
     protected RealmModel realm;
 
     public AdminConsole(RealmModel realm) {
         this.realm = realm;
-        this.authManager = new AppAuthManager();
     }
 
     public static class WhoAmI {
@@ -195,7 +193,12 @@ public ClientManager.InstallationAdapterConfig config() {
     @NoCache
     public Response whoAmI(final @Context HttpHeaders headers) {
         RealmManager realmManager = new RealmManager(session);
-        AuthenticationManager.AuthResult authResult = authManager.authenticateBearerToken(session, realm, session.getContext().getUri(), clientConnection, headers);
+        AuthenticationManager.AuthResult authResult = new AppAuthManager.BearerTokenAuthenticator(session)
+                .setRealm(realm)
+                .setConnection(clientConnection)
+                .setHeaders(headers)
+                .authenticate();
+
         if (authResult == null) {
             return Response.status(401).build();
         }

services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java

@@ -72,15 +72,13 @@ public class AdminRoot {
     @Context
     protected HttpResponse response;
 
-    protected AppAuthManager authManager;
     protected TokenManager tokenManager;
 
     @Context
     protected KeycloakSession session;
 
     public AdminRoot() {
         this.tokenManager = new TokenManager();
-        this.authManager = new AppAuthManager();
     }
 
     public static UriBuilder adminBaseUrl(UriInfo uriInfo) {
@@ -153,7 +151,7 @@ public AdminConsole getAdminConsole(final @PathParam("realm") String name) {
 
 
     protected AdminAuth authenticateRealmAdminRequest(HttpHeaders headers) {
-        String tokenString = authManager.extractAuthorizationHeaderToken(headers);
+        String tokenString = AppAuthManager.extractAuthorizationHeaderToken(headers);
         if (tokenString == null) throw new NotAuthorizedException("Bearer");
         AccessToken token;
         try {
@@ -169,7 +167,13 @@ protected AdminAuth authenticateRealmAdminRequest(HttpHeaders headers) {
             throw new NotAuthorizedException("Unknown realm in token");
         }
         session.getContext().setRealm(realm);
-        AuthenticationManager.AuthResult authResult = authManager.authenticateBearerToken(session, realm, session.getContext().getUri(), clientConnection, headers);
+
+        AuthenticationManager.AuthResult authResult = new AppAuthManager.BearerTokenAuthenticator(session)
+                .setRealm(realm)
+                .setConnection(clientConnection)
+                .setHeaders(headers)
+                .authenticate();
+
         if (authResult == null) {
             logger.debug("Token not valid");
             throw new NotAuthorizedException("Bearer");

testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/domainextension/rest/ExampleRestResource.java

@@ -32,7 +32,7 @@ public class ExampleRestResource {
 
 	public ExampleRestResource(KeycloakSession session) {
 		this.session = session;
-        this.auth = new AppAuthManager().authenticateBearerToken(session, session.getContext().getRealm());
+        this.auth = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
 	}
 
     @Path("companies")

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountFormServiceTest.java

@@ -1203,15 +1203,15 @@ public void applicationsVisibilityNoScopesNoConsent() throws Exception {
 
             Map<String, AccountApplicationsPage.AppEntry> apps = applicationsPage.getApplications();
             Assert.assertThat(apps.keySet(), containsInAnyOrder(
-              /* "root-url-client", */ "Account", "Account Console", "test-app", "test-app-scope", "third-party", "test-app-authz", "My Named Test App", "Test App Named - ${client_account}", "direct-grant"));
+              /* "root-url-client", */ "Account", "Account Console", "test-app", "test-app-scope", "third-party", "test-app-authz", "My Named Test App", "Test App Named - ${client_account}", "direct-grant", "custom-audience"));
 
             rsu.add(testRealm().roles().get("user").toRepresentation())
               .update();
 
             driver.navigate().refresh();
             apps = applicationsPage.getApplications();
             Assert.assertThat(apps.keySet(), containsInAnyOrder(
-              "root-url-client", "Account", "Account Console", "test-app", "test-app-scope", "third-party", "test-app-authz", "My Named Test App", "Test App Named - ${client_account}", "direct-grant"));
+              "root-url-client", "Account", "Account Console", "test-app", "test-app-scope", "third-party", "test-app-authz", "My Named Test App", "Test App Named - ${client_account}", "direct-grant", "custom-audience"));
         }
     }
 
@@ -1230,7 +1230,7 @@ public void applicationsVisibilityNoScopesAndConsent() throws Exception {
 
             Map<String, AccountApplicationsPage.AppEntry> apps = applicationsPage.getApplications();
             Assert.assertThat(apps.keySet(), containsInAnyOrder(
-              "root-url-client", "Account", "Account Console", "test-app", "test-app-scope", "third-party", "test-app-authz", "My Named Test App", "Test App Named - ${client_account}", "direct-grant"));
+              "root-url-client", "Account", "Account Console", "test-app", "test-app-scope", "third-party", "test-app-authz", "My Named Test App", "Test App Named - ${client_account}", "direct-grant", "custom-audience"));
         }
     }
 
@@ -1245,7 +1245,7 @@ public void applications() {
         applicationsPage.assertCurrent();
 
         Map<String, AccountApplicationsPage.AppEntry> apps = applicationsPage.getApplications();
-        Assert.assertThat(apps.keySet(), containsInAnyOrder("root-url-client", "Account", "Account Console", "Broker", "test-app", "test-app-scope", "third-party", "test-app-authz", "My Named Test App", "Test App Named - ${client_account}", "direct-grant"));
+        Assert.assertThat(apps.keySet(), containsInAnyOrder("root-url-client", "Account", "Account Console", "Broker", "test-app", "test-app-scope", "third-party", "test-app-authz", "My Named Test App", "Test App Named - ${client_account}", "direct-grant", "custom-audience"));
 
         AccountApplicationsPage.AppEntry accountEntry = apps.get("Account");
         Assert.assertThat(accountEntry.getRolesAvailable(), containsInAnyOrder(