Gabriel Corona
Gabriel Corona
Yes, it works! New introspection response now looks like: ~~~json { "exp": 1719440302, "iat": 1719440002, "jti": "89fe4249-6a7e-4816-8213-b077fc235c7a", "aud": "rs", "typ": "Bearer", "acr": "1", "permissions": [ { "scopes": [ "read" ],...
By the way, the token introspection logic of Keycloak does not take the `token_type_hint` as a **hint** but as a real constraint. This is not conforming to the [Token Introspection...
See https://github.com/randomstuff/keycloak-uma-test (and test_rs_resource.py) for a test environment.
This issue is a non-conformance with the UMA 2.0 specification. AFAIU, it prevents a standard UMA 2.0 Resource Server from actually checking the permissions associated with an RPT using UMA...
> I agree that 'response_mode' could be restricted, but is it possible (per client)? I'm not sure the security benefit is that great. I don't believe an attacker would gain...
Yes, I agree that PAR could be used to prevent tampering with this parameter (as well as other parameters) (as long as client authentication is required for the PAR endpoint...
Two things kind-of bothers me here: * I'm afraid this often won't be easily implementable without begging `$framework` devs, which means this requirement might be ignored and if too many...
@elarlang, Should this be worded positively instead? (see #2151)
I don't believe, we should require the usage us DPoP nonce (FAPI 2.0 does not require it) or "jti" storage. Possible options: * do not mention this topic at all;...