25815 do not remove previous refresh token for federated identity

Signed-off-by: Geoffrey Fourmis <geoffrey.fourmis@gmail.com>
This commit is contained in:
Geoffrey Fourmis 2024-03-02 18:07:22 +01:00 committed by Pedro Igor
parent d69872fa11
commit 24d9a22f49

View file

@ -72,6 +72,7 @@ import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.protocol.saml.SamlSessionUtils;
import org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.ErrorPageException;
import org.keycloak.services.ErrorResponse;
@ -1095,12 +1096,31 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
private void updateToken(BrokeredIdentityContext context, UserModel federatedUser, FederatedIdentityModel federatedIdentityModel) {
if (context.getIdpConfig().isStoreToken() && !ObjectUtil.isEqualOrBothNull(context.getToken(), federatedIdentityModel.getToken())) {
federatedIdentityModel.setToken(context.getToken());
try {
// like in OIDCIdentityProvider.exchangeStoredToken()
// we shouldn't override the refresh token if it is null in the context and not null in the DB
// as for google IDP it will be lost forever
if (federatedIdentityModel.getToken() != null) {
AccessTokenResponse previousResponse = JsonSerialization.readValue(federatedIdentityModel.getToken(), AccessTokenResponse.class);
AccessTokenResponse newResponse = JsonSerialization.readValue(context.getToken(), AccessTokenResponse.class);
this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, federatedIdentityModel);
if (newResponse.getRefreshToken() == null && previousResponse.getRefreshToken() != null) {
newResponse.setRefreshToken(previousResponse.getRefreshToken());
newResponse.setRefreshExpiresIn(previousResponse.getRefreshExpiresIn());
}
if (isDebugEnabled()) {
logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias());
federatedIdentityModel.setToken(JsonSerialization.writeValueAsString(newResponse));
} else {
federatedIdentityModel.setToken(context.getToken());
}
this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, federatedIdentityModel);
if (isDebugEnabled()) {
logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias());
}
} catch (IOException e) {
throw new RuntimeException(e);
}
}
}