Skip to content

THREESCALE-15279: Expose audience_mapper_client_id in application API#4350

Open
jlledom wants to merge 2 commits into
masterfrom
THREESCALE-15270-audience-mapper-client-id
Open

THREESCALE-15279: Expose audience_mapper_client_id in application API#4350
jlledom wants to merge 2 commits into
masterfrom
THREESCALE-15270-audience-mapper-client-id

Conversation

@jlledom

@jlledom jlledom commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

What this PR does / why we need it:

More details in the ticket description, but summarizing:

  1. When zync creates/updates a client in keycloak, it needs to add the audience mapper for those proxies having the introspection policy enabled
  2. The audience mapper must contain the id of the client which is going to introspect the token. This client can be any client with the proper permissions in the auth server, however, when the proxy includes the introspection policy, they might configure it to use the oidc_endpoint user as the client requesting the introspection.
  3. Only porta knows this info, so when these particular conditions met, we add this client id to the application endpoint in 3scale, the one which zync calls to fetch info, this way Zync knows which client id put in the mapper.

Some details:

  • Adds Proxy#audience_mapper_client_id that reads the Token Introspection policy from the live proxy's policies_config and returns the userinfo component of oidc_issuer_endpoint — the client ID that calls the introspection endpoint
  • Only returns a value when auth_type is use_3scale_oidc_issuer_endpoint (or absent/blank); returns nil for client_id+client_secret, client_secret_jwt, and private_key_jwt since those use externally managed clients that Zync doesn't control
  • Delegates the value up through Service and Cinstance, and exposes it in the CinstanceRepresenter OIDC block so Zync receives it via GET /admin/api/applications/find.json
  • When audience_mapper_client_id is present, Zync adds an oidc-audience-mapper to the Keycloak client, which adds the introspecting client to the token's aud claim — fixing the RHBK 26.6.2+ breaking change

Which issue(s) this PR fixes

THREESCALE-15279

Special notes for your reviewer:

  • Zync counterpart: branch THREESCALE-15279-token-introspection

RHBK 26.6.2+ rejects token introspection when the calling client is not
in the token's aud claim. Zync adds an oidc-audience-mapper to Keycloak
clients when audience_mapper_client_id is present in the application API
response, setting included.client.audience to that value.

Only Porta knows which client calls the introspection endpoint, derived
from the Token Introspection policy on the live proxy. The value is the
userinfo component of oidc_issuer_endpoint, used when auth_type is
use_3scale_oidc_issuer_endpoint or absent — the only case where Zync
manages the introspecting client. Other auth types (client_id+client_secret,
client_secret_jwt, private_key_jwt) use externally managed clients, so
no audience mapper is needed and nil is returned.

Assisted-by: Claude Code
@qltysh

qltysh Bot commented Jul 16, 2026

Copy link
Copy Markdown

All good ✅

Comment thread app/models/proxy.rb Outdated
Comment thread app/models/proxy.rb Outdated
Comment thread app/representers/cinstance_representer.rb Outdated
Comment thread test/unit/proxy_test.rb Outdated
Comment thread test/unit/proxy_test.rb
@jlledom jlledom changed the title THREESCALE-15279: Expose audience_mapper_client_id in application API THREESCALE-15279: Expose audience_mapper_client_id in application API Jul 16, 2026
Extract URI parsing into a private helper to reduce cyclomatic
complexity and eliminate the rescue modifier form. Assign auth_type
to a local variable to fix the reek DuplicateMethodCall. Freeze
ISSUER_URL and introduce setup to satisfy the UtilityFunction
reek warning. Remove the redundant block receiver in with_options.

Assisted-by: Claude Code
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant