25815 do not remove previous refresh token for federated identity

Signed-off-by: Geoffrey Fourmis <geoffrey.fourmis@gmail.com>
2024-03-02 18:07:22 +01:00 · 2024-03-02 18:07:22 +01:00 · 24d9a22f49
commit 24d9a22f49
parent d69872fa11
1 changed files with 24 additions and 4 deletions
--- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
+++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
@ -72,6 +72,7 @@ import org.keycloak.protocol.oidc.utils.RedirectUtils;
 import org.keycloak.protocol.saml.SamlSessionUtils;
 import org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor;
 import org.keycloak.representations.AccessToken;
+import org.keycloak.representations.AccessTokenResponse;
 import org.keycloak.services.ErrorPage;
 import org.keycloak.services.ErrorPageException;
 import org.keycloak.services.ErrorResponse;
@ -1095,13 +1096,32 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal

    private void updateToken(BrokeredIdentityContext context, UserModel federatedUser, FederatedIdentityModel federatedIdentityModel) {
        if (context.getIdpConfig().isStoreToken() && !ObjectUtil.isEqualOrBothNull(context.getToken(), federatedIdentityModel.getToken())) {
+            try {
+                // like in OIDCIdentityProvider.exchangeStoredToken()
+                // we shouldn't override the refresh token if it is null in the context and not null in the DB
+                // as for google IDP it will be lost forever
+                if (federatedIdentityModel.getToken() != null) {
+                    AccessTokenResponse previousResponse = JsonSerialization.readValue(federatedIdentityModel.getToken(), AccessTokenResponse.class);
+                    AccessTokenResponse newResponse = JsonSerialization.readValue(context.getToken(), AccessTokenResponse.class);
+
+                    if (newResponse.getRefreshToken() == null && previousResponse.getRefreshToken() != null) {
+                        newResponse.setRefreshToken(previousResponse.getRefreshToken());
+                        newResponse.setRefreshExpiresIn(previousResponse.getRefreshExpiresIn());
+                    }
+
+                    federatedIdentityModel.setToken(JsonSerialization.writeValueAsString(newResponse));
+                } else {
                    federatedIdentityModel.setToken(context.getToken());
+                }

                this.session.users().updateFederatedIdentity(this.realmModel, federatedUser, federatedIdentityModel);

                if (isDebugEnabled()) {
                    logger.debugf("Identity [%s] update with response from identity provider [%s].", federatedUser, context.getIdpConfig().getAlias());
                }
+            } catch (IOException e) {
+                throw new RuntimeException(e);
+            }
        }
    }