OAuth2DeviceConfig: fix polling interval defaults

Instead of DEFAULT_OAUTH2_DEVICE_POLLING_INTERVAL, constant for the
lifespan was used to initialize the default polling interval.

This leads to inability to continuously poll the result as the result
stuck in the actionTokens cache for far longer than expected (600
seconds instead of 5 seconds). As a result, only the first request for
the token succeeds if a resource owner already did grant the access. If
that has not happened, any additional polling within 600 seconds would
get rejected with a 'slow_down' response.

This makes hard to write OAuth 2.0 clients using device code
authorization grant flow against multiple IdPs. Microsoft's
implementation of OAuth 2.0 device code grant flow requires 'nudging'
the Authorization Server's token endpoint before it even starts
recognizing the device code. Keycloak mismatch of the polling interval
default makes this flow impossible.

Closes #12327

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Alexander Bokovoy 2022-05-09 10:16:31 +03:00 committed by Marek Posolda
parent 3889eeda30
commit 1915f11cba

View file

@ -47,7 +47,7 @@ public final class OAuth2DeviceConfig implements Serializable {
private transient Supplier<RealmModel> realmForWrite; private transient Supplier<RealmModel> realmForWrite;
private int lifespan = DEFAULT_OAUTH2_DEVICE_CODE_LIFESPAN; private int lifespan = DEFAULT_OAUTH2_DEVICE_CODE_LIFESPAN;
private int poolingInterval = DEFAULT_OAUTH2_DEVICE_CODE_LIFESPAN; private int poolingInterval = DEFAULT_OAUTH2_DEVICE_POLLING_INTERVAL;
public OAuth2DeviceConfig(RealmModel realm) { public OAuth2DeviceConfig(RealmModel realm) {
this.realm = () -> realm; this.realm = () -> realm;