libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Check refresh token flow response for offline based on refresh token request parameter

Browse source 
Closes #30857

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
This commit is contained in:
cgeorgilakis-grnet 2024-06-27 10:23:24 +03:00 committed by Pedro Igor
parent 2316b8d82a
commit 20cedb84eb
2 changed files with 61 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
View file

@ -417,7 +417,7 @@ public class TokenManager {
} }
AccessTokenResponseBuilder responseBuilder = responseBuilder(realm, authorizedClient, event, session, AccessTokenResponseBuilder responseBuilder = responseBuilder(realm, authorizedClient, event, session,
validation.userSession, validation.clientSessionCtx).accessToken(validation.newToken); validation.userSession, validation.clientSessionCtx).offlineToken( TokenUtil.TOKEN_TYPE_OFFLINE.equals(refreshToken.getType())).accessToken(validation.newToken);
if (clientConfig.isUseRefreshToken()) { if (clientConfig.isUseRefreshToken()) {
//refresh token must have same scope as old refresh token (type, scope, expiration) //refresh token must have same scope as old refresh token (type, scope, expiration)
responseBuilder.generateRefreshToken(refreshToken, clientSession); responseBuilder.generateRefreshToken(refreshToken, clientSession);
@ -1049,6 +1049,7 @@ public class TokenManager {
String codeHash; String codeHash;
String stateHash; String stateHash;
boolean offlineToken = false;
private AccessTokenResponse response; private AccessTokenResponse response;
@ -1089,6 +1090,11 @@ public class TokenManager {
return this; return this;
} }
public AccessTokenResponseBuilder offlineToken(boolean offlineToken) {
this.offlineToken = offlineToken;
return this;
}
public AccessTokenResponseBuilder generateAccessToken() { public AccessTokenResponseBuilder generateAccessToken() {
UserModel user = userSession.getUser(); UserModel user = userSession.getUser();
accessToken = createClientAccessToken(session, realm, client, user, userSession, clientSessionCtx); accessToken = createClientAccessToken(session, realm, client, user, userSession, clientSessionCtx);
@ -1218,7 +1224,7 @@ public class TokenManager {
} }
public boolean isOfflineToken() { public boolean isOfflineToken() {
return refreshToken != null && TokenUtil.TOKEN_TYPE_OFFLINE.equals(refreshToken.getType()); return offlineToken;
} }
public AccessTokenResponse build() { public AccessTokenResponse build() {

54
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesExtendedEventTest.java
View file

@ -81,7 +81,7 @@ import static org.junit.Assert.assertNull;
/** /**
* This test class is for testing a newly supported event for client policies. * This test class is for testing a newly supported event for client policies.
* *
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a> * @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
*/ */
@EnableFeature(value = Profile.Feature.CLIENT_SECRET_ROTATION) @EnableFeature(value = Profile.Feature.CLIENT_SECRET_ROTATION)
@ -486,6 +486,58 @@ public class ClientPoliciesExtendedEventTest extends AbstractClientPoliciesTest
assertEquals(findUserByUsername(adminClient.realm(REALM_NAME), TEST_USER_NAME).getId(), refreshedRefreshToken.getSubject()); assertEquals(findUserByUsername(adminClient.realm(REALM_NAME), TEST_USER_NAME).getId(), refreshedRefreshToken.getSubject());
} }
@Test
public void testExtendedClientPolicyIntefacesForTokenRefreshResponseWithOffline() throws Exception {
String clientId = generateSuffixedName(CLIENT_NAME);
String clientSecret = "secret";
String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setSecret(clientSecret);
clientRep.setStandardFlowEnabled(Boolean.TRUE);
clientRep.setImplicitFlowEnabled(Boolean.TRUE);
clientRep.setPublicClient(Boolean.FALSE);
});
adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(SAMPLE_CLIENT_ROLE).build());
oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
oauth.clientId(clientId);
oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent();
String code = new OAuthClient.AuthorizationEndpointResponse(oauth).getCode();
OAuthClient.AccessTokenResponse res = oauth.doAccessTokenRequest(code, clientSecret);
assertEquals(200, res.getStatusCode());
AccessToken token = oauth.verifyToken(res.getAccessToken());
assertNotNull(token);
assertNotNull(token.getSessionId());
// register profiles
String json = (new ClientProfilesBuilder()).addProfile(
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Le Premier Profil")
.addExecutor(SuppressRefreshTokenRotationExecutorFactory.PROVIDER_ID, null)
.toRepresentation()
).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy(
(new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forste Politikken", Boolean.TRUE)
.addCondition(ClientRolesConditionFactory.PROVIDER_ID,
createClientRolesConditionConfig(Arrays.asList(SAMPLE_CLIENT_ROLE)))
.addProfile(PROFILE_NAME)
.toRepresentation()
).toString();
updatePolicies(json);
// delete the non-offline session to force the NPE
adminClient.realm(REALM_NAME).deleteSession(token.getSessionId(), false);
String refreshTokenString = res.getRefreshToken();
OAuthClient.AccessTokenResponse accessTokenResponseRefreshed = oauth.doRefreshTokenRequest(refreshTokenString, clientSecret);
assertEquals(200, accessTokenResponseRefreshed.getStatusCode());
assertNull(accessTokenResponseRefreshed.getRefreshToken());
}
@Test @Test
public void testExtendedClientPolicyIntefacesForServiceAccountTokenRequeponse() throws Exception { public void testExtendedClientPolicyIntefacesForServiceAccountTokenRequeponse() throws Exception {
String clientId = "service-account-app"; String clientId = "service-account-app";