KEYCLOAK-2488 Token introspection returns wrong response for invalid token

2016-10-18 20:28:14 +02:00 · 2016-10-18 20:28:14 +02:00 · 29538332d9
commit 29538332d9
parent a87c08416d
2 changed files with 31 additions and 12 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.java
@ -50,27 +50,28 @@ public class AccessTokenIntrospectionProvider implements TokenIntrospectionProvi
        try {
            boolean valid = true;
-            RSATokenVerifier verifier = RSATokenVerifier.create(token)
+            AccessToken toIntrospect = null;
                    .realmUrl(Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
-            PublicKey publicKey = session.keys().getPublicKey(realm, verifier.getHeader().getKeyId());
+            try {
-            if (publicKey == null) {
+                RSATokenVerifier verifier = RSATokenVerifier.create(token)
-                valid = false;
+                        .realmUrl(Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
-            } else {
+
-                try {
+                PublicKey publicKey = session.keys().getPublicKey(realm, verifier.getHeader().getKeyId());
                if (publicKey == null) {
                    valid = false;
                } else {
                    verifier.publicKey(publicKey);
                    verifier.verify();
-                } catch (VerificationException e) {
+                    toIntrospect = verifier.getToken();
                    valid = false;
                }
            } catch (VerificationException e) {
                valid = false;
            }
            RealmModel realm = this.session.getContext().getRealm();
            ObjectNode tokenMetadata;
-            AccessToken toIntrospect = verifier.getToken();
+            if (valid && toIntrospect != null) {
            if (valid) {
                valid = tokenManager.isTokenValid(session, realm, toIntrospect);
            }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
@ -188,6 +188,24 @@ public class TokenIntrospectionTest extends TestRealmKeycloakTest {
        assertNull(rep.getSubject());
    }
    @Test
    public void testUnsupportedToken() throws Exception {
        oauth.doLogin("test-user@localhost", "password");
        String inactiveAccessToken = "unsupported";
        String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", inactiveAccessToken);
        ObjectMapper objectMapper = new ObjectMapper();
        JsonNode jsonNode = objectMapper.readTree(tokenResponse);
        assertFalse(jsonNode.get("active").asBoolean());
        TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class);
        assertFalse(rep.isActive());
        assertNull(rep.getUserName());
        assertNull(rep.getClientId());
        assertNull(rep.getSubject());
    }
    @Test
    public void testIntrospectAccessToken() throws Exception {
        oauth.doLogin("test-user@localhost", "password");