diff --git a/backend/internal/common/errors.go b/backend/internal/common/errors.go index b97f2af0..9a0b41b0 100644 --- a/backend/internal/common/errors.go +++ b/backend/internal/common/errors.go @@ -20,7 +20,7 @@ type AlreadyInUseError struct { func (e *AlreadyInUseError) Error() string { return e.Property + " is already in use" } -func (e *AlreadyInUseError) HttpStatusCode() int { return 400 } +func (e *AlreadyInUseError) HttpStatusCode() int { return http.StatusBadRequest } func (e *AlreadyInUseError) Is(target error) bool { // Ignore the field property when checking if an error is of the type AlreadyInUseError @@ -31,26 +31,26 @@ func (e *AlreadyInUseError) Is(target error) bool { type SetupAlreadyCompletedError struct{} func (e *SetupAlreadyCompletedError) Error() string { return "setup already completed" } -func (e *SetupAlreadyCompletedError) HttpStatusCode() int { return 400 } +func (e *SetupAlreadyCompletedError) HttpStatusCode() int { return http.StatusConflict } type TokenInvalidOrExpiredError struct{} func (e *TokenInvalidOrExpiredError) Error() string { return "token is invalid or expired" } -func (e *TokenInvalidOrExpiredError) HttpStatusCode() int { return 400 } +func (e *TokenInvalidOrExpiredError) HttpStatusCode() int { return http.StatusUnauthorized } type DeviceCodeInvalid struct{} func (e *DeviceCodeInvalid) Error() string { return "one time access code must be used on the device it was generated for" } -func (e *DeviceCodeInvalid) HttpStatusCode() int { return 400 } +func (e *DeviceCodeInvalid) HttpStatusCode() int { return http.StatusUnauthorized } type TokenInvalidError struct{} func (e *TokenInvalidError) Error() string { return "Token is invalid" } -func (e *TokenInvalidError) HttpStatusCode() int { return 400 } +func (e *TokenInvalidError) HttpStatusCode() int { return http.StatusUnauthorized } type OidcMissingAuthorizationError struct{} @@ -60,46 +60,51 @@ func (e *OidcMissingAuthorizationError) HttpStatusCode() int { return http.Statu type OidcGrantTypeNotSupportedError struct{} func (e *OidcGrantTypeNotSupportedError) Error() string { return "grant type not supported" } -func (e *OidcGrantTypeNotSupportedError) HttpStatusCode() int { return 400 } +func (e *OidcGrantTypeNotSupportedError) HttpStatusCode() int { return http.StatusBadRequest } type OidcMissingClientCredentialsError struct{} func (e *OidcMissingClientCredentialsError) Error() string { return "client id or secret not provided" } -func (e *OidcMissingClientCredentialsError) HttpStatusCode() int { return 400 } +func (e *OidcMissingClientCredentialsError) HttpStatusCode() int { return http.StatusBadRequest } type OidcClientSecretInvalidError struct{} func (e *OidcClientSecretInvalidError) Error() string { return "invalid client secret" } -func (e *OidcClientSecretInvalidError) HttpStatusCode() int { return 400 } +func (e *OidcClientSecretInvalidError) HttpStatusCode() int { return http.StatusUnauthorized } type OidcClientAssertionInvalidError struct{} func (e *OidcClientAssertionInvalidError) Error() string { return "invalid client assertion" } -func (e *OidcClientAssertionInvalidError) HttpStatusCode() int { return 400 } +func (e *OidcClientAssertionInvalidError) HttpStatusCode() int { return http.StatusUnauthorized } type OidcInvalidAuthorizationCodeError struct{} func (e *OidcInvalidAuthorizationCodeError) Error() string { return "invalid authorization code" } -func (e *OidcInvalidAuthorizationCodeError) HttpStatusCode() int { return 400 } +func (e *OidcInvalidAuthorizationCodeError) HttpStatusCode() int { return http.StatusBadRequest } + +type OidcClientNotFoundError struct{} + +func (e *OidcClientNotFoundError) Error() string { return "client not found" } +func (e *OidcClientNotFoundError) HttpStatusCode() int { return http.StatusNotFound } type OidcMissingCallbackURLError struct{} func (e *OidcMissingCallbackURLError) Error() string { return "unable to detect callback url, it might be necessary for an admin to fix this" } -func (e *OidcMissingCallbackURLError) HttpStatusCode() int { return 400 } +func (e *OidcMissingCallbackURLError) HttpStatusCode() int { return http.StatusBadRequest } type OidcInvalidCallbackURLError struct{} func (e *OidcInvalidCallbackURLError) Error() string { return "invalid callback URL, it might be necessary for an admin to fix this" } -func (e *OidcInvalidCallbackURLError) HttpStatusCode() int { return 400 } +func (e *OidcInvalidCallbackURLError) HttpStatusCode() int { return http.StatusBadRequest } type FileTypeNotSupportedError struct{} func (e *FileTypeNotSupportedError) Error() string { return "file type not supported" } -func (e *FileTypeNotSupportedError) HttpStatusCode() int { return 400 } +func (e *FileTypeNotSupportedError) HttpStatusCode() int { return http.StatusBadRequest } type FileTooLargeError struct { MaxSize string diff --git a/backend/internal/controller/oidc_controller.go b/backend/internal/controller/oidc_controller.go index 5dd9404f..193a6723 100644 --- a/backend/internal/controller/oidc_controller.go +++ b/backend/internal/controller/oidc_controller.go @@ -335,11 +335,13 @@ func (oc *OidcController) introspectTokenHandler(c *gin.Context) { ) creds.ClientID, creds.ClientSecret, ok = utils.OAuthClientBasicAuth(c.Request) if !ok { - // If there's no basic auth, check if we have a bearer token + // If there's no basic auth, check if we have a bearer token (used as client assertion) bearer, ok := utils.BearerAuth(c.Request) if ok { creds.ClientAssertionType = service.ClientAssertionTypeJWTBearer creds.ClientAssertion = bearer + // When using client assertions, client_id can be passed as a form field + creds.ClientID = input.ClientID } } @@ -662,8 +664,13 @@ func (oc *OidcController) updateAllowedUserGroupsHandler(c *gin.Context) { } func (oc *OidcController) deviceAuthorizationHandler(c *gin.Context) { + // Per RFC 8628 (OAuth 2.0 Device Authorization Grant), parameters for the device authorization request MUST be sent in the body of the POST request + // Gin's "ShouldBind" by default reads from the query string too, so we need to reset all query string args before invoking ShouldBind + c.Request.URL.RawQuery = "" + var input dto.OidcDeviceAuthorizationRequestDto - if err := c.ShouldBind(&input); err != nil { + err := c.ShouldBind(&input) + if err != nil { _ = c.Error(err) return } diff --git a/backend/internal/dto/oidc_dto.go b/backend/internal/dto/oidc_dto.go index 08e271bb..e6a186a6 100644 --- a/backend/internal/dto/oidc_dto.go +++ b/backend/internal/dto/oidc_dto.go @@ -98,7 +98,8 @@ type OidcCreateTokensDto struct { } type OidcIntrospectDto struct { - Token string `form:"token" binding:"required"` + Token string `form:"token" binding:"required"` + ClientID string `form:"client_id"` } type OidcUpdateAllowedUserGroupsDto struct { diff --git a/backend/internal/service/oidc_service.go b/backend/internal/service/oidc_service.go index 828e0710..1d04c8d1 100644 --- a/backend/internal/service/oidc_service.go +++ b/backend/internal/service/oidc_service.go @@ -1644,34 +1644,19 @@ func clientAuthCredentialsFromCreateTokensDto(d *dto.OidcCreateTokensDto) Client } func (s *OidcService) verifyClientCredentialsInternal(ctx context.Context, tx *gorm.DB, input ClientAuthCredentials, allowPublicClientsWithoutAuth bool) (client *model.OidcClient, err error) { - isClientAssertion := input.ClientAssertionType == ClientAssertionTypeJWTBearer && input.ClientAssertion != "" - - // Determine the client ID based on the authentication method - var clientID string - switch { - case isClientAssertion: - // Extract client ID from the JWT assertion's 'sub' claim - clientID, err = s.extractClientIDFromAssertion(input.ClientAssertion) - if err != nil { - slog.Error("Failed to extract client ID from assertion", "error", err) - return nil, &common.OidcClientAssertionInvalidError{} - } - case input.ClientID != "": - // Use the provided client ID for other authentication methods - clientID = input.ClientID - default: + if input.ClientID == "" { return nil, &common.OidcMissingClientCredentialsError{} } // Load the OIDC client's configuration err = tx. WithContext(ctx). - First(&client, "id = ?", clientID). + First(&client, "id = ?", input.ClientID). Error - if err != nil { - if errors.Is(err, gorm.ErrRecordNotFound) && isClientAssertion { - return nil, &common.OidcClientAssertionInvalidError{} - } + if errors.Is(err, gorm.ErrRecordNotFound) { + slog.WarnContext(ctx, "Client not found", slog.String("client", input.ClientID)) + return nil, &common.OidcClientNotFoundError{} + } else if err != nil { return nil, err } @@ -1686,7 +1671,7 @@ func (s *OidcService) verifyClientCredentialsInternal(ctx context.Context, tx *g return client, nil // Next, check if we want to use client assertions from federated identities - case isClientAssertion: + case input.ClientAssertionType == ClientAssertionTypeJWTBearer && input.ClientAssertion != "": err = s.verifyClientAssertionFromFederatedIdentities(ctx, client, input) if err != nil { slog.WarnContext(ctx, "Invalid assertion for client", slog.String("client", client.ID), slog.Any("error", err)) @@ -1783,36 +1768,20 @@ func (s *OidcService) verifyClientAssertionFromFederatedIdentities(ctx context.C // (Note: we don't use jwt.WithIssuer() because that would be redundant) _, err = jwt.Parse(assertion, jwt.WithValidate(true), + jwt.WithAcceptableSkew(clockSkew), jwt.WithKeySet(jwks, jws.WithInferAlgorithmFromKey(true), jws.WithUseDefault(true)), jwt.WithAudience(audience), jwt.WithSubject(subject), ) if err != nil { - return fmt.Errorf("client assertion is not valid: %w", err) + return fmt.Errorf("client assertion could not be verified: %w", err) } // If we're here, the assertion is valid return nil } -// extractClientIDFromAssertion extracts the client_id from the JWT assertion's 'sub' claim -func (s *OidcService) extractClientIDFromAssertion(assertion string) (string, error) { - // Parse the JWT without verification first to get the claims - insecureToken, err := jwt.ParseInsecure([]byte(assertion)) - if err != nil { - return "", fmt.Errorf("failed to parse JWT assertion: %w", err) - } - - // Extract the subject claim which must be the client_id according to RFC 7523 - sub, ok := insecureToken.Subject() - if !ok || sub == "" { - return "", fmt.Errorf("missing or invalid 'sub' claim in JWT assertion") - } - - return sub, nil -} - func (s *OidcService) GetClientPreview(ctx context.Context, clientID string, userID string, scopes []string) (*dto.OidcClientPreviewDto, error) { tx := s.db.Begin() defer func() { diff --git a/backend/internal/service/oidc_service_test.go b/backend/internal/service/oidc_service_test.go index 4dbab3f6..4374a430 100644 --- a/backend/internal/service/oidc_service_test.go +++ b/backend/internal/service/oidc_service_test.go @@ -229,6 +229,12 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) { Subject: federatedClient.ID, JWKS: federatedClientIssuer + "/jwks.json", }, + { + Issuer: "federated-issuer-2", + Audience: federatedClientAudience, + Subject: "my-federated-client", + JWKS: federatedClientIssuer + "/jwks.json", + }, {Issuer: federatedClientIssuerDefaults}, }, }, @@ -461,6 +467,43 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) { // Generate a token input := dto.OidcCreateTokensDto{ + ClientID: federatedClient.ID, + ClientAssertion: string(signedToken), + ClientAssertionType: ClientAssertionTypeJWTBearer, + } + createdToken, err := s.createTokenFromClientCredentials(t.Context(), input) + require.NoError(t, err) + require.NotNil(t, token) + + // Verify the token + claims, err := s.jwtService.VerifyOAuthAccessToken(createdToken.AccessToken) + require.NoError(t, err, "Failed to verify generated token") + + // Check the claims + subject, ok := claims.Subject() + _ = assert.True(t, ok, "User ID not found in token") && + assert.Equal(t, "client-"+federatedClient.ID, subject, "Token subject should match federated client ID with prefix") + audience, ok := claims.Audience() + _ = assert.True(t, ok, "Audience not found in token") && + assert.Equal(t, []string{federatedClient.ID}, audience, "Audience should contain the federated client ID") + }) + + t.Run("Succeeds with valid assertion and custom subject", func(t *testing.T) { + // Create JWT for federated identity + token, err := jwt.NewBuilder(). + Issuer("federated-issuer-2"). + Audience([]string{federatedClientAudience}). + Subject("my-federated-client"). + IssuedAt(time.Now()). + Expiration(time.Now().Add(10 * time.Minute)). + Build() + require.NoError(t, err) + signedToken, err := jwt.Sign(token, jwt.WithKey(jwa.ES256(), privateJWK)) + require.NoError(t, err) + + // Generate a token + input := dto.OidcCreateTokensDto{ + ClientID: federatedClient.ID, ClientAssertion: string(signedToken), ClientAssertionType: ClientAssertionTypeJWTBearer, } @@ -483,6 +526,7 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) { t.Run("Fails with invalid assertion", func(t *testing.T) { input := dto.OidcCreateTokensDto{ + ClientID: confidentialClient.ID, ClientAssertion: "invalid.jwt.token", ClientAssertionType: ClientAssertionTypeJWTBearer, } diff --git a/frontend/messages/cs.json b/frontend/messages/cs.json index 0368fb55..8bf78ad7 100644 --- a/frontend/messages/cs.json +++ b/frontend/messages/cs.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Zadejte kód, který byl zobrazen v předchozím kroku.", "authorize": "Autorizovat", "federated_client_credentials": "Údaje o klientovi ve federaci", - "federated_client_credentials_description": "Pomocí federovaných přihlašovacích údajů klienta můžete ověřit klienty OIDC pomocí JWT tokenů vydaných třetí stranou.", "add_federated_client_credential": "Přidat údaje federovaného klienta", "add_another_federated_client_credential": "Přidat dalšího federovaného klienta", "oidc_allowed_group_count": "Počet povolených skupin", diff --git a/frontend/messages/da.json b/frontend/messages/da.json index 9afdca79..5d2b3336 100644 --- a/frontend/messages/da.json +++ b/frontend/messages/da.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Indtast koden, der blev vist i det forrige trin.", "authorize": "Godkend", "federated_client_credentials": "Federated klientlegitimationsoplysninger", - "federated_client_credentials_description": "Ved hjælp af federated klientlegitimationsoplysninger kan du godkende OIDC-klienter med JWT-tokens udstedt af tredjepartsudbydere.", "add_federated_client_credential": "Tilføj federated klientlegitimation", "add_another_federated_client_credential": "Tilføj endnu en federated klientlegitimation", "oidc_allowed_group_count": "Tilladt antal grupper", diff --git a/frontend/messages/de.json b/frontend/messages/de.json index bffc38c6..79885fcc 100644 --- a/frontend/messages/de.json +++ b/frontend/messages/de.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Gib den Code ein, der im vorherigen Schritt angezeigt wurde.", "authorize": "Autorisieren", "federated_client_credentials": "Federated Client Credentials", - "federated_client_credentials_description": "Mit Hilfe von Verbund-Client-Anmeldeinformationen kannst du OIDC-Clients mit JWT-Tokens authentifizieren, die von Drittanbietern ausgestellt wurden.", "add_federated_client_credential": "Föderierte Client-Anmeldeinfos hinzufügen", "add_another_federated_client_credential": "Weitere Anmeldeinformationen für einen Verbundclient hinzufügen", "oidc_allowed_group_count": "Erlaubte Gruppenanzahl", diff --git a/frontend/messages/en.json b/frontend/messages/en.json index e328330e..e89938b8 100644 --- a/frontend/messages/en.json +++ b/frontend/messages/en.json @@ -365,7 +365,7 @@ "enter_code_displayed_in_previous_step": "Enter the code that was displayed in the previous step.", "authorize": "Authorize", "federated_client_credentials": "Federated Client Credentials", - "federated_client_credentials_description": "Using federated client credentials, you can authenticate OIDC clients using JWT tokens issued by third-party authorities.", + "federated_client_credentials_description": "Federated client credentials allow authenticating OIDC clients without managing long-lived secrets. They leverage JWT tokens issued by third-party authorities for client assertions, e.g. workload identity tokens.", "add_federated_client_credential": "Add Federated Client Credential", "add_another_federated_client_credential": "Add another federated client credential", "oidc_allowed_group_count": "Allowed Group Count", diff --git a/frontend/messages/es.json b/frontend/messages/es.json index 9c1cce93..ac6fdd78 100644 --- a/frontend/messages/es.json +++ b/frontend/messages/es.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Introduce el código que se mostró en el paso anterior.", "authorize": "Autorizar", "federated_client_credentials": "Credenciales de cliente federadas", - "federated_client_credentials_description": "Mediante credenciales de cliente federadas, puedes autenticar clientes OIDC utilizando tokens JWT emitidos por autoridades de terceros.", "add_federated_client_credential": "Añadir credenciales de cliente federado", "add_another_federated_client_credential": "Añadir otra credencial de cliente federado", "oidc_allowed_group_count": "Recuento de grupos permitidos", diff --git a/frontend/messages/et.json b/frontend/messages/et.json index e328330e..d3aedc7c 100644 --- a/frontend/messages/et.json +++ b/frontend/messages/et.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Enter the code that was displayed in the previous step.", "authorize": "Authorize", "federated_client_credentials": "Federated Client Credentials", - "federated_client_credentials_description": "Using federated client credentials, you can authenticate OIDC clients using JWT tokens issued by third-party authorities.", "add_federated_client_credential": "Add Federated Client Credential", "add_another_federated_client_credential": "Add another federated client credential", "oidc_allowed_group_count": "Allowed Group Count", diff --git a/frontend/messages/fi.json b/frontend/messages/fi.json index b8ba5899..59d1f041 100644 --- a/frontend/messages/fi.json +++ b/frontend/messages/fi.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Syötä edellisessä vaiheessa näkynyt koodi.", "authorize": "Salli", "federated_client_credentials": "Federoidut asiakastunnukset", - "federated_client_credentials_description": "Yhdistettyjen asiakastunnistetietojen avulla voit todentaa OIDC-asiakkaat kolmannen osapuolen myöntämillä JWT-tunnuksilla.", "add_federated_client_credential": "Lisää federoitu asiakastunnus", "add_another_federated_client_credential": "Lisää toinen federoitu asiakastunnus", "oidc_allowed_group_count": "Sallittujen ryhmien määrä", diff --git a/frontend/messages/fr.json b/frontend/messages/fr.json index aa9f71b2..9ff785d4 100644 --- a/frontend/messages/fr.json +++ b/frontend/messages/fr.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Entrez le code affiché à l'étape précédente.", "authorize": "Autoriser", "federated_client_credentials": "Identifiants client fédérés", - "federated_client_credentials_description": "Avec des identifiants clients fédérés, vous pouvez authentifier des clients OIDC avec des tokens JWT émis par des autorités tierces.", "add_federated_client_credential": "Ajouter un identifiant client fédéré", "add_another_federated_client_credential": "Ajouter un autre identifiant client fédéré", "oidc_allowed_group_count": "Nombre de groupes autorisés", diff --git a/frontend/messages/it.json b/frontend/messages/it.json index 890ad08c..e4337b43 100644 --- a/frontend/messages/it.json +++ b/frontend/messages/it.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Inserisci il codice visualizzato nel passaggio precedente.", "authorize": "Autorizza", "federated_client_credentials": "Identità Federate", - "federated_client_credentials_description": "Utilizzando identità federate, è possibile autenticare i client OIDC utilizzando i token JWT emessi da autorità di terze parti.", "add_federated_client_credential": "Aggiungi Identità Federata", "add_another_federated_client_credential": "Aggiungi un'altra identità federata", "oidc_allowed_group_count": "Numero Gruppi Consentiti", diff --git a/frontend/messages/ja.json b/frontend/messages/ja.json index fa8c024c..2f480471 100644 --- a/frontend/messages/ja.json +++ b/frontend/messages/ja.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "前のステップで表示されたコードを入力してください。", "authorize": "Authorize", "federated_client_credentials": "連携クライアントの資格情報", - "federated_client_credentials_description": "Using federated client credentials, you can authenticate OIDC clients using JWT tokens issued by third-party authorities.", "add_federated_client_credential": "Add Federated Client Credential", "add_another_federated_client_credential": "Add another federated client credential", "oidc_allowed_group_count": "許可されたグループ数", diff --git a/frontend/messages/ko.json b/frontend/messages/ko.json index 0de41375..6ec07029 100644 --- a/frontend/messages/ko.json +++ b/frontend/messages/ko.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "이전 단계에 표시된 코드를 입력하세요.", "authorize": "승인", "federated_client_credentials": "연동 클라이언트 자격 증명", - "federated_client_credentials_description": "연동 클라이언트 자격 증명을 이용하여, OIDC 클라이언트를 제3자 인증 기관에서 발급한 JWT 토큰을 이용해 인증할 수 있습니다.", "add_federated_client_credential": "연동 클라이언트 자격 증명 추가", "add_another_federated_client_credential": "다른 연동 클라이언트 자격 증명 추가", "oidc_allowed_group_count": "허용된 그룹 수", diff --git a/frontend/messages/nl.json b/frontend/messages/nl.json index 19cb99d3..958da44c 100644 --- a/frontend/messages/nl.json +++ b/frontend/messages/nl.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Voer de code in die in de vorige stap werd getoond.", "authorize": "Autoriseren", "federated_client_credentials": "Federatieve clientreferenties", - "federated_client_credentials_description": "Met federatieve clientreferenties kun je OIDC-clients verifiëren met JWT-tokens die zijn uitgegeven door andere instanties.", "add_federated_client_credential": "Federatieve clientreferenties toevoegen", "add_another_federated_client_credential": "Voeg nog een federatieve clientreferentie toe", "oidc_allowed_group_count": "Aantal groepen met toegang", diff --git a/frontend/messages/no.json b/frontend/messages/no.json index 1c131f38..320291e5 100644 --- a/frontend/messages/no.json +++ b/frontend/messages/no.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Enter the code that was displayed in the previous step.", "authorize": "Authorize", "federated_client_credentials": "Federated Client Credentials", - "federated_client_credentials_description": "Using federated client credentials, you can authenticate OIDC clients using JWT tokens issued by third-party authorities.", "add_federated_client_credential": "Add Federated Client Credential", "add_another_federated_client_credential": "Add another federated client credential", "oidc_allowed_group_count": "Allowed Group Count", diff --git a/frontend/messages/pl.json b/frontend/messages/pl.json index ee6a0148..be63509c 100644 --- a/frontend/messages/pl.json +++ b/frontend/messages/pl.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Wprowadź kod wyświetlony w poprzednim kroku.", "authorize": "Autoryzuj", "federated_client_credentials": "Połączone poświadczenia klienta", - "federated_client_credentials_description": "Korzystając z połączonych poświadczeń klienta, możecie uwierzytelnić klientów OIDC za pomocą tokenów JWT wydanych przez zewnętrzne organy.", "add_federated_client_credential": "Dodaj poświadczenia klienta federacyjnego", "add_another_federated_client_credential": "Dodaj kolejne poświadczenia klienta federacyjnego", "oidc_allowed_group_count": "Dopuszczalna liczba grup", diff --git a/frontend/messages/pt-BR.json b/frontend/messages/pt-BR.json index 1b94665b..3d28baec 100644 --- a/frontend/messages/pt-BR.json +++ b/frontend/messages/pt-BR.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Digite o código que apareceu na etapa anterior.", "authorize": "Autorizar", "federated_client_credentials": "Credenciais de Cliente Federadas", - "federated_client_credentials_description": "Ao utilizar credenciais de cliente federadas, é possível autenticar clientes OIDC usando tokens JWT emitidos por autoridades de terceiros.", "add_federated_client_credential": "Adicionar credencial de cliente federado", "add_another_federated_client_credential": "Adicionar outra credencial de cliente federado", "oidc_allowed_group_count": "Total de grupos permitidos", diff --git a/frontend/messages/ru.json b/frontend/messages/ru.json index 3f2239fa..7774a94e 100644 --- a/frontend/messages/ru.json +++ b/frontend/messages/ru.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Введите код, который был отображен на предыдущем шаге.", "authorize": "Авторизовать", "federated_client_credentials": "Федеративные учетные данные клиента", - "federated_client_credentials_description": "Используя федеративные учетные данные клиента, вы можете аутентифицировать клиентов OIDC с помощью токенов JWT, выпущенных сторонними поставщиками удостоверений.", "add_federated_client_credential": "Добавить федеративные учетные данные клиента", "add_another_federated_client_credential": "Добавить другие федеративные учетные данные клиента", "oidc_allowed_group_count": "Число разрешенных групп", diff --git a/frontend/messages/sv.json b/frontend/messages/sv.json index c45fdf43..2a46b86f 100644 --- a/frontend/messages/sv.json +++ b/frontend/messages/sv.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Ange koden som visades i föregående steg.", "authorize": "Godkänn", "federated_client_credentials": "Federerade klientuppgifter", - "federated_client_credentials_description": "Med hjälp av federerade klientuppgifter kan du autentisera OIDC-klienter med JWT-tokens som utfärdats av externa auktoriteter.", "add_federated_client_credential": "Lägg till federerad klientuppgift", "add_another_federated_client_credential": "Lägg till ytterligare en federerad klientuppgift", "oidc_allowed_group_count": "Tillåtet antal grupper", diff --git a/frontend/messages/tr.json b/frontend/messages/tr.json index dc7b5985..608939db 100644 --- a/frontend/messages/tr.json +++ b/frontend/messages/tr.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Önceki adımda görüntülenen kodu girin.", "authorize": "Yetkilendir", "federated_client_credentials": "Birleştirilmiş İstemci Kimlik Bilgileri", - "federated_client_credentials_description": "Birleşik istemci kimlik bilgilerini kullanarak, üçüncü taraf otoriteleri tarafından verilen JWT token'ları kullanarak OIDC istemcilerinin kimliklerini doğrulayabilirsiniz.", "add_federated_client_credential": "Birleştirilmiş İstemci Kimlik Bilgisi Ekle", "add_another_federated_client_credential": "Başka bir birleştirilmiş istemci kimlik bilgisi ekle", "oidc_allowed_group_count": "İzin Verilen Grup Sayısı", diff --git a/frontend/messages/uk.json b/frontend/messages/uk.json index c4e7955c..06b548fe 100644 --- a/frontend/messages/uk.json +++ b/frontend/messages/uk.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Введіть код, який було показано на попередньому кроці.", "authorize": "Авторизувати", "federated_client_credentials": "Федеративні облікові дані клієнта", - "federated_client_credentials_description": "За допомогою федеративних облікових даних клієнта ви можете автентифікувати клієнтів OIDC за допомогою токенів JWT, виданих третіми сторонами.", "add_federated_client_credential": "Додати федеративний обліковий запис клієнта", "add_another_federated_client_credential": "Додати ще один федеративний обліковий запис клієнта", "oidc_allowed_group_count": "Кількість дозволених груп", diff --git a/frontend/messages/vi.json b/frontend/messages/vi.json index 611a887c..8d861e5a 100644 --- a/frontend/messages/vi.json +++ b/frontend/messages/vi.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "Nhập mã đã hiển thị ở bước trước.", "authorize": "Cho phép", "federated_client_credentials": "Thông Tin Xác Thực Của Federated Clients", - "federated_client_credentials_description": "Sử dụng thông tin xác thực của federated client, bạn có thể xác thực các client OIDC bằng cách sử dụng token JWT được cấp bởi các bên thứ ba.", "add_federated_client_credential": "Thêm thông tin xác thực cho federated clients", "add_another_federated_client_credential": "Thêm một thông tin xác thực cho federated clients khác", "oidc_allowed_group_count": "Số lượng nhóm được phép", diff --git a/frontend/messages/zh-CN.json b/frontend/messages/zh-CN.json index 5b051731..99b9a987 100644 --- a/frontend/messages/zh-CN.json +++ b/frontend/messages/zh-CN.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "输入在上一步中显示的代码", "authorize": "授权", "federated_client_credentials": "联合身份", - "federated_client_credentials_description": "您可以使用联合身份,通过第三方授权机构签发的 JWT 令牌,对 OIDC 客户端进行认证。", "add_federated_client_credential": "添加联合身份", "add_another_federated_client_credential": "再添加一个联合身份", "oidc_allowed_group_count": "允许的群组数量", diff --git a/frontend/messages/zh-TW.json b/frontend/messages/zh-TW.json index 58c57e5a..eac55e18 100644 --- a/frontend/messages/zh-TW.json +++ b/frontend/messages/zh-TW.json @@ -365,7 +365,6 @@ "enter_code_displayed_in_previous_step": "請輸入上一步顯示的代碼。", "authorize": "授權", "federated_client_credentials": "聯邦身分", - "federated_client_credentials_description": "使用聯邦身分,您可以透過由第三方授權機構簽發的 JWT 令牌來驗證 OIDC 客戶端。", "add_federated_client_credential": "增加聯邦身分", "add_another_federated_client_credential": "新增另一組聯邦身分", "oidc_allowed_group_count": "允許的群組數量", diff --git a/tests/specs/oidc.spec.ts b/tests/specs/oidc.spec.ts index 9f16d8fc..2b96709f 100644 --- a/tests/specs/oidc.spec.ts +++ b/tests/specs/oidc.spec.ts @@ -332,6 +332,7 @@ test.describe('Introspection endpoint', () => { Authorization: 'Bearer ' + clientAssertion }, form: { + client_id: oidcClients.federated.id, token: validAccessToken } }); @@ -374,6 +375,7 @@ test.describe('Introspection endpoint', () => { Authorization: 'Bearer ' + clientAssertion }, form: { + client_id: oidcClients.federated.id, token: validAccessToken } });