Merge pull request #3041 from stianst/KEYCLOAK-3302
KEYCLOAK-3302 Allow logout with expired refresh token
This commit is contained in:
commit
1b517a461e
5 changed files with 119 additions and 7 deletions
|
@ -244,16 +244,23 @@ public class TokenManager {
|
|||
}
|
||||
|
||||
public RefreshToken verifyRefreshToken(RealmModel realm, String encodedRefreshToken) throws OAuthErrorException {
|
||||
return verifyRefreshToken(realm, encodedRefreshToken, true);
|
||||
}
|
||||
|
||||
public RefreshToken verifyRefreshToken(RealmModel realm, String encodedRefreshToken, boolean checkExpiration) throws OAuthErrorException {
|
||||
try {
|
||||
RefreshToken refreshToken = toRefreshToken(realm, encodedRefreshToken);
|
||||
|
||||
if (refreshToken.getExpiration() != 0 && refreshToken.isExpired()) {
|
||||
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Refresh token expired");
|
||||
if (checkExpiration) {
|
||||
if (refreshToken.getExpiration() != 0 && refreshToken.isExpired()) {
|
||||
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Refresh token expired");
|
||||
}
|
||||
|
||||
if (refreshToken.getIssuedAt() < realm.getNotBefore()) {
|
||||
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale refresh token");
|
||||
}
|
||||
}
|
||||
|
||||
if (refreshToken.getIssuedAt() < realm.getNotBefore()) {
|
||||
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale refresh token");
|
||||
}
|
||||
return refreshToken;
|
||||
} catch (JWSInputException e) {
|
||||
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token", e);
|
||||
|
|
|
@ -187,7 +187,7 @@ public class LogoutEndpoint {
|
|||
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "No refresh token", Response.Status.BAD_REQUEST);
|
||||
}
|
||||
try {
|
||||
RefreshToken token = tokenManager.verifyRefreshToken(realm, refreshToken);
|
||||
RefreshToken token = tokenManager.verifyRefreshToken(realm, refreshToken, false);
|
||||
UserSessionModel userSessionModel = session.sessions().getUserSession(realm, token.getSessionState());
|
||||
if (userSessionModel != null) {
|
||||
logout(userSessionModel);
|
||||
|
|
|
@ -0,0 +1,100 @@
|
|||
/*
|
||||
* Copyright 2016 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.keycloak.testsuite.oauth;
|
||||
|
||||
import org.apache.http.HttpResponse;
|
||||
import org.junit.Before;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.keycloak.OAuth2Constants;
|
||||
import org.keycloak.common.util.Time;
|
||||
import org.keycloak.representations.idm.RealmRepresentation;
|
||||
import org.keycloak.testsuite.AbstractKeycloakTest;
|
||||
import org.keycloak.testsuite.AssertEvents;
|
||||
import org.keycloak.testsuite.util.ClientManager;
|
||||
import org.keycloak.testsuite.util.OAuthClient;
|
||||
import org.keycloak.testsuite.util.RealmBuilder;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNotNull;
|
||||
import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||
*/
|
||||
public class LogoutTest extends AbstractKeycloakTest {
|
||||
|
||||
@Rule
|
||||
public AssertEvents events = new AssertEvents(this);
|
||||
|
||||
@Override
|
||||
public void beforeAbstractKeycloakTest() throws Exception {
|
||||
super.beforeAbstractKeycloakTest();
|
||||
}
|
||||
|
||||
@Before
|
||||
public void clientConfiguration() {
|
||||
ClientManager.realm(adminClient.realm("test")).clientId("test-app").directAccessGrant(true);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void addTestRealms(List<RealmRepresentation> testRealms) {
|
||||
RealmRepresentation realmRepresentation = loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class);
|
||||
RealmBuilder realm = RealmBuilder.edit(realmRepresentation).testEventListener();
|
||||
|
||||
testRealms.add(realm.build());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void postLogout() throws Exception {
|
||||
oauth.doLogin("test-user@localhost", "password");
|
||||
|
||||
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
||||
|
||||
oauth.clientSessionState("client-session");
|
||||
OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
|
||||
String refreshTokenString = tokenResponse.getRefreshToken();
|
||||
|
||||
HttpResponse response = oauth.doLogout(refreshTokenString, "password");
|
||||
assertEquals(204, response.getStatusLine().getStatusCode());
|
||||
|
||||
assertNotNull(testingClient.testApp().getAdminLogoutAction());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void postLogoutExpiredRefreshToken() throws Exception {
|
||||
oauth.doLogin("test-user@localhost", "password");
|
||||
|
||||
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
||||
|
||||
oauth.clientSessionState("client-session");
|
||||
OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
|
||||
String refreshTokenString = tokenResponse.getRefreshToken();
|
||||
|
||||
adminClient.realm("test").update(RealmBuilder.create().notBefore(Time.currentTime() + 1).build());
|
||||
|
||||
// Logout should succeed with expired refresh token, see KEYCLOAK-3302
|
||||
HttpResponse response = oauth.doLogout(refreshTokenString, "password");
|
||||
assertEquals(204, response.getStatusLine().getStatusCode());
|
||||
|
||||
assertNotNull(testingClient.testApp().getAdminLogoutAction());
|
||||
}
|
||||
|
||||
}
|
|
@ -132,6 +132,11 @@ public class RealmBuilder {
|
|||
return this;
|
||||
}
|
||||
|
||||
public RealmBuilder notBefore(int i) {
|
||||
rep.setNotBefore(i);
|
||||
return this;
|
||||
}
|
||||
|
||||
public RealmBuilder otpLookAheadWindow(int i) {
|
||||
rep.setOtpPolicyLookAheadWindow(i);
|
||||
return this;
|
||||
|
|
|
@ -105,7 +105,7 @@
|
|||
"redirectUris": [
|
||||
"http://localhost:8180/auth/realms/master/app/auth/*"
|
||||
],
|
||||
"adminUrl": "http://localhost:8180/auth/realms/master/app/logout",
|
||||
"adminUrl": "http://localhost:8180/auth/realms/master/app/admin",
|
||||
"secret": "password"
|
||||
},
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue