Client Signature Required true requires also AuthnRequestsSigned be true

eosc-kc · Oct 6, 2023 · 471e0c0 · 471e0c0
1 parent c32557d
commit 471e0c0
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@ Our Keycloak version is working well with PostgreSQL database. For using other S
 ## [Unreleased]
 ### Fixed
 - Fix refresh flow with scope parameter problem[Feedback from CESNET about EOSC Keycloak federation support](https://trello.com/c/VTJNB9Gu/2116-feedback-from-cesnet-about-eosc-keycloak-federation-support)
+- Client Signature Required true requires also AuthnRequestsSigned be true[Keycloak requires signed authN requests when WantAuthNSigned=false](https://trello.com/c/XpLOXiz2/2177-keycloak-requires-signed-authn-requests-when-wantauthnsignedfalse)
 
 ### Changed
 - Add regex support in 'Condition - User attribute' execution[Add regex support in Keycloak attribute condition](https://trello.com/c/P8Dvw6ir/2121-add-regex-support-in-keycloak-attribute-condition)

diff --git a/pom.xml b/pom.xml
@@ -42,7 +42,7 @@
         <jboss.snapshots.repo.url>https://s01.oss.sonatype.org/content/repositories/snapshots/</jboss.snapshots.repo.url>
 
         <quarkus.version>2.7.5.Final</quarkus.version>
-        <eosc-kc.version>${project.version}-2.17rc5</eosc-kc.version>
+        <eosc-kc.version>${project.version}-2.17rc6</eosc-kc.version>
 
         <!--
         Performing a Wildfly upgrade? Run the:

diff --git a/services/src/main/java/org/keycloak/protocol/saml/EntityDescriptorDescriptionConverter.java b/services/src/main/java/org/keycloak/protocol/saml/EntityDescriptorDescriptionConverter.java
@@ -280,7 +280,7 @@ public static ClientRepresentation loadEntityDescriptors(InputStream is, ClientR
             }
             String certPem = KeycloakModelUtils.getPemFromCertificate(cert);
             if (keyDescriptor.getUse() == KeyTypes.SIGNING) {
-                attributes.put(SamlConfigAttributes.SAML_CLIENT_SIGNATURE_ATTRIBUTE, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
+                attributes.put(SamlConfigAttributes.SAML_CLIENT_SIGNATURE_ATTRIBUTE, spDescriptorType.isAuthnRequestsSigned() ? SamlProtocol.ATTRIBUTE_TRUE_VALUE : SamlProtocol.ATTRIBUTE_FALSE_VALUE);
                 attributes.put(SamlConfigAttributes.SAML_SIGNING_CERTIFICATE_ATTRIBUTE, certPem);
             } else if (keyDescriptor.getUse() == KeyTypes.ENCRYPTION) {
                 attributes.put(SamlConfigAttributes.SAML_ENCRYPT, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
@@ -291,7 +291,7 @@ public static ClientRepresentation loadEntityDescriptors(InputStream is, ClientR
         }
         //use key for both uses if exists and no signing or encryption specific key exists
         if (certFullUse != null && SamlProtocol.ATTRIBUTE_FALSE_VALUE.equals(attributes.get(SamlConfigAttributes.SAML_CLIENT_SIGNATURE_ATTRIBUTE))){
-            attributes.put(SamlConfigAttributes.SAML_CLIENT_SIGNATURE_ATTRIBUTE, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
+            attributes.put(SamlConfigAttributes.SAML_CLIENT_SIGNATURE_ATTRIBUTE, spDescriptorType.isAuthnRequestsSigned() ? SamlProtocol.ATTRIBUTE_TRUE_VALUE : SamlProtocol.ATTRIBUTE_FALSE_VALUE);
             attributes.put(SamlConfigAttributes.SAML_SIGNING_CERTIFICATE_ATTRIBUTE, certFullUse);
         }
         if (certFullUse != null && SamlProtocol.ATTRIBUTE_FALSE_VALUE.equals(attributes.get(SamlConfigAttributes.SAML_ENCRYPT))){