keycloak.js does not validate Issuer Identifier

[vickeybrown]

Before reporting an issue

• I have searched existing issues
• I have reproduced the issue with the latest nightly release

Area

adapter/javascript

Describe the bug

keycloak/keycloak#20621 added support for RFC 9207, which requires clients validate that the Issuer Identifier returned from the Authorization Code Flow response is what is expected before proceeding with the authorization grant. However, there was no logic added in Keycloak.js to do this check.

Version

main

Expected behavior

Keycloak.js validates that the "iss" parameter from the Authorization Code Flow response matches the issuer identifier of the authorization server where the authorization request was sent to, as described in https://datatracker.ietf.org/doc/html/rfc9207#name-validating-the-issuer-ident

Actual behavior

Keycloak.js does nothing with the "iss" parameter.

How to Reproduce?

Not sure how to swap out Issuer values halfway through the Auth Code process, but looking at the Keycloak.js shows there's no logic around the "iss" parameter

Anything else?

No response

[jonkoops]

@tnorimat just making sure you are aware of this issue. I'll have to take a look at how much of an effort this would be.