Revert "No permission check for token exchange with audience"

This reverts commit 8bf5506.
eosc-kc · Jun 13, 2024 · 0b1291e · 0b1291e
1 parent 8bf5506
commit 0b1291e
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,10 +10,6 @@ Full Keycloak upstream jira issue can be shown if filtered by Fix version.
 
 Our Keycloak version is working well with PostgreSQL database. For using other SQL databases, text field in database need to be evaluated.
 
-## [Unreleased]
-### Changed
-- No permission check for token exchange with audience
-
 ## [18.0.1-2.17] - 2023-10-10
 ### Fixed
 - Fix refresh flow with scope parameter problem[Feedback from CESNET about EOSC Keycloak federation support](https://trello.com/c/VTJNB9Gu/2116-feedback-from-cesnet-about-eosc-keycloak-federation-support)

diff --git a/pom.xml b/pom.xml
@@ -42,7 +42,7 @@
         <jboss.snapshots.repo.url>https://s01.oss.sonatype.org/content/repositories/snapshots/</jboss.snapshots.repo.url>
 
         <quarkus.version>2.7.5.Final</quarkus.version>
-        <eosc-kc.version>${project.version}-2.18rc1</eosc-kc.version>
+        <eosc-kc.version>${project.version}-2.17</eosc-kc.version>
 
         <!--
         Performing a Wildfly upgrade? Run the:

diff --git a/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java b/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java
@@ -272,11 +272,11 @@ protected Response exchangeToIdentityProvider(UserModel targetUser, UserSessionM
             event.error(Errors.UNKNOWN_IDENTITY_PROVIDER);
             throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "Issuer does not support token exchange", Response.Status.BAD_REQUEST);
         }
-//        if (!AdminPermissions.management(session, realm).idps().canExchangeTo(client, providerModel)) {
-//            event.detail(Details.REASON, "client not allowed to exchange for requested_issuer");
-//            event.error(Errors.NOT_ALLOWED);
-//            throw new CorsErrorResponseException(cors, OAuthErrorException.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
-//        }
+        if (!AdminPermissions.management(session, realm).idps().canExchangeTo(client, providerModel)) {
+            event.detail(Details.REASON, "client not allowed to exchange for requested_issuer");
+            event.error(Errors.NOT_ALLOWED);
+            throw new CorsErrorResponseException(cors, OAuthErrorException.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
+        }
         Response response = ((ExchangeTokenToIdentityProviderToken)provider).exchangeFromToken(session.getContext().getUri(), event, client, targetUserSession, targetUser, formParams);
         return cors.builder(Response.fromResponse(response)).build();