THREESCALE-15279: Expose audience_mapper_client_id in application API#4350
Open
jlledom wants to merge 2 commits into
Open
THREESCALE-15279: Expose audience_mapper_client_id in application API#4350jlledom wants to merge 2 commits into
audience_mapper_client_id in application API#4350jlledom wants to merge 2 commits into
Conversation
RHBK 26.6.2+ rejects token introspection when the calling client is not in the token's aud claim. Zync adds an oidc-audience-mapper to Keycloak clients when audience_mapper_client_id is present in the application API response, setting included.client.audience to that value. Only Porta knows which client calls the introspection endpoint, derived from the Token Introspection policy on the live proxy. The value is the userinfo component of oidc_issuer_endpoint, used when auth_type is use_3scale_oidc_issuer_endpoint or absent — the only case where Zync manages the introspecting client. Other auth types (client_id+client_secret, client_secret_jwt, private_key_jwt) use externally managed clients, so no audience mapper is needed and nil is returned. Assisted-by: Claude Code
audience_mapper_client_id in application API
Extract URI parsing into a private helper to reduce cyclomatic complexity and eliminate the rescue modifier form. Assign auth_type to a local variable to fix the reek DuplicateMethodCall. Freeze ISSUER_URL and introduce setup to satisfy the UtilityFunction reek warning. Remove the redundant block receiver in with_options. Assisted-by: Claude Code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
More details in the ticket description, but summarizing:
Some details:
Proxy#audience_mapper_client_idthat reads the Token Introspection policy from the live proxy'spolicies_configand returns the userinfo component ofoidc_issuer_endpoint— the client ID that calls the introspection endpointauth_typeisuse_3scale_oidc_issuer_endpoint(or absent/blank); returnsnilforclient_id+client_secret,client_secret_jwt, andprivate_key_jwtsince those use externally managed clients that Zync doesn't controlServiceandCinstance, and exposes it in theCinstanceRepresenterOIDC block so Zync receives it viaGET /admin/api/applications/find.jsonaudience_mapper_client_idis present, Zync adds anoidc-audience-mapperto the Keycloak client, which adds the introspecting client to the token'saudclaim — fixing the RHBK 26.6.2+ breaking changeWhich issue(s) this PR fixes
THREESCALE-15279
Special notes for your reviewer:
THREESCALE-15279-token-introspection