From 8d90ad816a002ccee0068095a42fbd4b967f4739 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Mon, 27 Jul 2015 15:28:58 +0200 Subject: [PATCH 1/3] KEYCLOAK-1710 UserInfoEndpoint throws NPE if user session is not found --- .../oidc/endpoints/UserInfoEndpoint.java | 7 +++++- .../keycloak/testsuite/oidc/UserInfoTest.java | 24 +++++++++++++++++-- 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java index f17cc27fbf..f410bec0f1 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java @@ -36,6 +36,7 @@ import org.keycloak.protocol.oidc.TokenManager; import org.keycloak.representations.AccessToken; import org.keycloak.services.ErrorResponseException; import org.keycloak.services.managers.AppAuthManager; +import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.resources.Cors; import org.keycloak.services.Urls; @@ -117,13 +118,17 @@ public class UserInfoEndpoint { AccessToken token = null; try { - token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); + token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()), true); } catch (Exception e) { throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Token invalid", Status.FORBIDDEN); } UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState()); ClientSessionModel clientSession = session.sessions().getClientSession(token.getClientSession()); + if (userSession == null || clientSession == null || !AuthenticationManager.isSessionValid(realm, userSession)) { + throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Token invalid", Status.FORBIDDEN); + } + ClientModel clientModel = realm.getClientByClientId(token.getIssuedFor()); UserModel userModel = userSession.getUser(); AccessToken userInfo = new AccessToken(); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/oidc/UserInfoTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/oidc/UserInfoTest.java index 6b739ba2cb..11ced77747 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/oidc/UserInfoTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/oidc/UserInfoTest.java @@ -25,6 +25,7 @@ import org.junit.ClassRule; import org.junit.Rule; import org.junit.Test; import org.keycloak.OAuth2Constants; +import org.keycloak.models.KeycloakSession; import org.keycloak.models.RealmModel; import org.keycloak.protocol.oidc.OIDCLoginProtocolService; import org.keycloak.representations.AccessTokenResponse; @@ -54,8 +55,6 @@ import static org.junit.Assert.assertNotNull; */ public class UserInfoTest { - private static RealmModel realm; - @ClassRule public static KeycloakRule keycloakRule = new KeycloakRule(); @@ -88,6 +87,27 @@ public class UserInfoTest { client.close(); } + @Test + public void testSessionExpired() throws Exception { + Client client = ClientBuilder.newClient(); + UriBuilder builder = UriBuilder.fromUri(org.keycloak.testsuite.Constants.AUTH_SERVER_ROOT); + URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test"); + WebTarget grantTarget = client.target(grantUri); + AccessTokenResponse accessTokenResponse = executeGrantAccessTokenRequest(grantTarget); + + KeycloakSession session = keycloakRule.startSession(); + keycloakRule.startSession().sessions().removeUserSessions(session.realms().getRealm("test")); + keycloakRule.stopSession(session, true); + + Response response = executeUserInfoRequest(accessTokenResponse.getToken()); + + assertEquals(Status.FORBIDDEN.getStatusCode(), response.getStatus()); + + response.close(); + + client.close(); + } + @Test public void testUnsuccessfulUserInfoRequest() throws Exception { Response response = executeUserInfoRequest("bad"); From 8e25369001f92b7a947dd593f5df0a29af2807a6 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Mon, 27 Jul 2015 15:39:10 +0200 Subject: [PATCH 2/3] KEYCLOAK-1711 Add get user info to js-console example --- examples/js-console/src/main/webapp/index.html | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/examples/js-console/src/main/webapp/index.html b/examples/js-console/src/main/webapp/index.html index 796aebdb50..153053b53e 100644 --- a/examples/js-console/src/main/webapp/index.html +++ b/examples/js-console/src/main/webapp/index.html @@ -10,6 +10,7 @@ + @@ -35,6 +36,14 @@ }); } + function loadUserInfo() { + keycloak.loadUserInfo().success(function(userInfo) { + output(userInfo); + }).error(function() { + output('Failed to load user info'); + }); + } + function refreshToken(minValidity) { keycloak.updateToken(minValidity).success(function(refreshed) { if (refreshed) { From a190cdd8f21072cba364f566d6e72ab0c63b1b55 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Mon, 27 Jul 2015 16:01:48 +0200 Subject: [PATCH 3/3] KEYCLOAK-1712 Admin client example not working --- examples/demo-template/testrealm.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/examples/demo-template/testrealm.json b/examples/demo-template/testrealm.json index d669e6bccd..556708efc3 100755 --- a/examples/demo-template/testrealm.json +++ b/examples/demo-template/testrealm.json @@ -167,8 +167,7 @@ "clientId": "admin-client", "enabled": true, "publicClient": true, - "directGrantsOnly": true, - "consentRequired": true + "directGrantsOnly": true }, { "clientId": "product-sa-client",