Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

When using DPoP with the user info endpoint and sending a DPoP proof, Keycloak doesn't check that the proof has the access token hash set, and doesn't verify that the access token contains the hash of the public key.

Due to this, you can use a DPoP access token, and generate any self-generated DPoP, which makes the access token basically not bound to DPoP at all, which renders the protection of DPoP useless.

I found this when reviewing the PR https://github.com/keycloak/keycloak/pull/38134

Version

main

Regression

[ ] The issue is a regression

Expected behavior

This feature this was originally discussed that the access token should be bound to the DPoP proof: https://github.com/keycloak/keycloak/issues/22215

Actual behavior

You can see this here as we never add the hash to the DPoP proof in our own tests, not even for the user info endpoint:

https://github.com/keycloak/keycloak/blob/690b5ecb25fb677c52a79814ed0c5a96d992529f/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/ClientPoliciesUtil.java#L492-L496

We then use it here to call the user info endpoint successfully.

https://github.com/keycloak/keycloak/blob/a0086ad454b0152bc46df7a2023e58a11fb273fc/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/DPoPTest.java#L761-L763

How to Reproduce?

See test above

Anything else?

This was discussed with the Keycloak Security Team to be a hardening issue.

I'll prepare a PR. I will also refactor the code as we plan use the DPoP validation of access tokens also in other places.