OIDC-Validierung

Grant-Type-Enforcement und Scope-Validierung für OAuth2 und OpenID Connect.

Anforderungsabdeckung

REQ-OIDC-001

Enforce allowed grant types per client

REQ-OIDC-002

Validate requested scopes against per-client whitelist

REQ-OIDC-003

Validate redirect URIs against per-client whitelist

REQ-OIDC-004

Require state parameter on authorization requests

REQ-OIDC-005

Require nonce parameter on OpenID Connect requests

REQ-OIDC-006

Enforce PKCE for public clients

REQ-OIDC-007

Block plain PKCE method (require S256)

REQ-OIDC-008

Validate response_type parameter

REQ-OIDC-009

Block tokens in URL query parameters

REQ-OIDC-010

Validate code_verifier length and format

Testbeispiele

OIDC-001BLOCKIERT

Password-Grant blockiert

Beispiel-Request

curl -X POST https://keycloak-alg:8443/realms/myapp/protocol/openid-connect/token \
  -d 'grant_type=password&username=admin&password=secret&client_id=myapp'

Erwartete Antwort

{"error":"access_denied","error_description":"Grant type 'password' is blocked by policy"}

OIDC-002BLOCKIERT

Implicit-Flow blockiert

Beispiel-Request

curl 'https://keycloak-alg:8443/realms/myapp/protocol/openid-connect/auth?\
  response_type=token&client_id=myapp&redirect_uri=https://app.example.com/cb'

Erwartete Antwort

{"error":"invalid_request","error_description":"Response type 'token' is blocked (implicit flow)"}

OIDC-003BLOCKIERT

Fehlende PKCE abgelehnt

Beispiel-Request

curl 'https://keycloak-alg:8443/realms/myapp/protocol/openid-connect/auth?\
  response_type=code&client_id=public-app&redirect_uri=https://app.example.com/cb&state=abc'

Erwartete Antwort

{"error":"invalid_request","error_description":"PKCE required for public clients"}