OIDC Validation

Grant type enforcement and scope validation for OAuth2 and OpenID Connect.

Requirements Coverage

REQ-OIDC-001

Enforce allowed grant types per client

REQ-OIDC-002

Validate requested scopes against per-client whitelist

REQ-OIDC-003

Validate redirect URIs against per-client whitelist

REQ-OIDC-004

Require state parameter on authorization requests

REQ-OIDC-005

Require nonce parameter on OpenID Connect requests

REQ-OIDC-006

Enforce PKCE for public clients

REQ-OIDC-007

Block plain PKCE method (require S256)

REQ-OIDC-008

Validate response_type parameter

REQ-OIDC-009

Block tokens in URL query parameters

REQ-OIDC-010

Validate code_verifier length and format

Test Examples

OIDC-001BLOCKED

Password grant blocked

Sample Request

curl -X POST https://keycloak-alg:8443/realms/myapp/protocol/openid-connect/token \
  -d 'grant_type=password&username=admin&password=secret&client_id=myapp'

Expected Response

{"error":"access_denied","error_description":"Grant type 'password' is blocked by policy"}

OIDC-002BLOCKED

Implicit flow blocked

Sample Request

curl 'https://keycloak-alg:8443/realms/myapp/protocol/openid-connect/auth?\
  response_type=token&client_id=myapp&redirect_uri=https://app.example.com/cb'

Expected Response

{"error":"invalid_request","error_description":"Response type 'token' is blocked (implicit flow)"}

OIDC-003BLOCKED

Missing PKCE rejected

Sample Request

curl 'https://keycloak-alg:8443/realms/myapp/protocol/openid-connect/auth?\
  response_type=code&client_id=public-app&redirect_uri=https://app.example.com/cb&state=abc'

Expected Response

{"error":"invalid_request","error_description":"PKCE required for public clients"}