KEYCLOAK-2488 Token introspection returns wrong response for invalid token

2016-10-18 20:28:14 +02:00 · 2016-10-18 20:28:14 +02:00 · 29538332d9
commit 29538332d9
parent a87c08416d
2 changed files with 31 additions and 12 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.java
@ -50,27 +50,28 @@ public class AccessTokenIntrospectionProvider implements TokenIntrospectionProvi
        try {
            boolean valid = true;

-            RSATokenVerifier verifier = RSATokenVerifier.create(token)
-                    .realmUrl(Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
+            AccessToken toIntrospect = null;

-            PublicKey publicKey = session.keys().getPublicKey(realm, verifier.getHeader().getKeyId());
-            if (publicKey == null) {
-                valid = false;
-            } else {
-                try {
+            try {
+                RSATokenVerifier verifier = RSATokenVerifier.create(token)
+                        .realmUrl(Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
+
+                PublicKey publicKey = session.keys().getPublicKey(realm, verifier.getHeader().getKeyId());
+                if (publicKey == null) {
+                    valid = false;
+                } else {
                    verifier.publicKey(publicKey);
                    verifier.verify();
-                } catch (VerificationException e) {
-                    valid = false;
+                    toIntrospect = verifier.getToken();
                }
+            } catch (VerificationException e) {
+                valid = false;
            }

            RealmModel realm = this.session.getContext().getRealm();
            ObjectNode tokenMetadata;

-            AccessToken toIntrospect = verifier.getToken();
-
-            if (valid) {
+            if (valid && toIntrospect != null) {
                valid = tokenManager.isTokenValid(session, realm, toIntrospect);
            }

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
@ -188,6 +188,24 @@ public class TokenIntrospectionTest extends TestRealmKeycloakTest {
        assertNull(rep.getSubject());
    }

+    @Test
+    public void testUnsupportedToken() throws Exception {
+        oauth.doLogin("test-user@localhost", "password");
+        String inactiveAccessToken = "unsupported";
+        String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", inactiveAccessToken);
+        ObjectMapper objectMapper = new ObjectMapper();
+        JsonNode jsonNode = objectMapper.readTree(tokenResponse);
+
+        assertFalse(jsonNode.get("active").asBoolean());
+
+        TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class);
+
+        assertFalse(rep.isActive());
+        assertNull(rep.getUserName());
+        assertNull(rep.getClientId());
+        assertNull(rep.getSubject());
+    }
+
    @Test
    public void testIntrospectAccessToken() throws Exception {
        oauth.doLogin("test-user@localhost", "password");