+
Skip to content

Remove Google provider's override of exchangeExternalImpl to allow ex… #38450

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Remove Google provider's override of exchangeExternalImpl to allow ex… #38450

wants to merge 1 commit into from

Conversation

sguilhen
Copy link
Contributor

…change of ID tokens

Signed-off-by: Stefan Guilhen sguilhen@redhat.com

Closes #38147

@sguilhen sguilhen requested a review from a team as a code owner March 26, 2025 13:38
@sguilhen sguilhen requested a review from rmartinc March 26, 2025 13:38
rmartinc
rmartinc suggested changes Mar 26, 2025
View reviewed changes
Copy link
Contributor

@rmartinc rmartinc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sguilhen I needed to do more changes to can exchange a ID token issued by google. I have this in a stash:

diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
index 9509bf54fd..b1dce686e2 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
@@ -894,11 +894,13 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
     }
 
     protected boolean isTokenTypeSupported(JsonWebToken parsedToken) {
-        return SUPPORTED_TOKEN_TYPES.contains(parsedToken.getType());
+        return true; //SUPPORTED_TOKEN_TYPES.contains(parsedToken.getType());
     }
 
diff --git a/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java b/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java
index 9ef583b696..4342e7d506 100755
--- a/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java
@@ -41,6 +41,7 @@ public class GoogleIdentityProvider extends OIDCIdentityProvider implements Soci
     public static final String AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
     public static final String TOKEN_URL = "https://oauth2.googleapis.com/token";
     public static final String PROFILE_URL = "https://openidconnect.googleapis.com/v1/userinfo";
+    public static final String JWKS_URL = "https://www.googleapis.com/oauth2/v3/certs";
     public static final String DEFAULT_SCOPE = "openid profile email";
 
     private static final String OIDC_PARAMETER_HOSTED_DOMAINS = "hd";
@@ -52,6 +53,7 @@ public class GoogleIdentityProvider extends OIDCIdentityProvider implements Soci
         config.setAuthorizationUrl(AUTH_URL);
         config.setTokenUrl(TOKEN_URL);
         config.setUserInfoUrl(PROFILE_URL);
+        config.setJwksUrl(JWKS_URL);
     }
 
     @Override
@@ -86,10 +88,10 @@ public class GoogleIdentityProvider extends OIDCIdentityProvider implements Soci
     }
 
 
-    @Override
-    protected BrokeredIdentityContext exchangeExternalImpl(EventBuilder event, MultivaluedMap<String, String> params) {
-        return exchangeExternalUserInfoValidationOnly(event, params);
-    }
+    //@Override
+    //protected BrokeredIdentityContext exchangeExternalImpl(EventBuilder event, MultivaluedMap<String, String> params) {
+    //    return exchangeExternalUserInfoValidationOnly(event, params);
+    //}
 
     @Override
     protected UriBuilder createAuthorizationUrl(AuthenticationRequest request) {

You can try to make a test although socials are a pain. 😄

@sguilhen
Remove Google provider's override of exchangeExternalImpl to allow ex…
1277898 
…change of ID tokens

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

Closes keycloak#38147
@sguilhen sguilhen force-pushed the 38147-google-id-token-exchange branch from 016472f to 1277898 Compare March 26, 2025 18:08
@sguilhen sguilhen requested a review from rmartinc March 26, 2025 19:10
@sguilhen
Copy link
Contributor Author

@rmartinc is the change to OIDCIdentityProvider.isTokenTypeSupported necessary? Wouldn't it be better to override it in the Google provider if that is indeed needed?

@rmartinc
Copy link
Contributor

@rmartinc is the change to OIDCIdentityProvider.isTokenTypeSupported necessary? Wouldn't it be better to override it in the Google provider if that is indeed needed?

No, it's not necessary. I just did it to pass the other issue #33332 quickly 😄. But probably they need the option set now to be able to validate the google ID token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rmartinc rmartinc Awaiting requested review from rmartinc

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Google token exchange not working since not able to fetch user info for id token
2 participants
@sguilhen @rmartinc
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载