説明
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
core
Describe the bug
Requesting federated user data with a DPoP token is denied with error 401. The log shows the message "DPoP HTTP URL mismatch".
Version
26.5.2
Regression
- The issue is a regression
Expected behavior
Requests for federated users should succeed.
Actual behavior
Requests for federated users fail with 401.
How to Reproduce?
Request user data of a federated user with a DPoP token. The URL in the token must contain an encoded colon.
Anything else?
The debug log shows this error: [org.keycloak.services.managers.AuthenticationManager] (executor-thread-7) Failed to verify identity token: DPoP HTTP URL mismatch
I am using a keycloakify admin theme which uses DPoP tokens. When trying to view a federated user the theme requests this page: https://keycloak.example.com/auth/admin/realms/myrealm/users/f%3A12d15bfe-1adc-4d74-aab0-62a7372ca43a%3A2632679 . The DPoP token contains the same URL in the HTU. I have verified this in the browser developer console.
Debugging has shown, that the URLs do not match in the DPoPHTTPCheck test:
because the DPoP.HTU contains the original URL with ":" encoded as "%3A", but the uri parameter is in decoded form.