Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[2.6.x] Update keycloakjs and use access_token instead of id_token for oidc code path #5371

Open
wants to merge 2 commits into
base: 2.6.x
Choose a base branch
from

Conversation

davidvoit
Copy link

Fixes: #5085

Nonce support in urls was removed in Keycloak 25 to be
fully oidc compatible. But this change is not compatible with
old keycloakjs version. Apicurio used a very old version
and was broken after this keycloak release.
If the oidc client auth library is used (instead of the
default keycloakjs on) the id_token is used as Bearer Token.
This is not standard compatible. ID Tokens only contain user information
and should never be used for authentications.
@apicurio-bot
Copy link

apicurio-bot bot commented Oct 21, 2024

Thank you for creating a pull request!

Pinging @EricWittmann to respond or triage.

@carlesarnal
Copy link
Member

This looks correct I think, but since we don't have automated tests in the browser for authentication I have to manually test this PR. I'll add that to my list. Thanks for the contribution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants