Merge pull request #2498 from stianst/KEYCLOAK-2722

KEYCLOAK-2722 Check user session in token introspection endpoint
This commit is contained in:
Stian Thorgersen 2016-04-05 11:18:32 +02:00
commit 3e9ae7aa82
4 changed files with 117 additions and 3 deletions

View file

@ -174,8 +174,31 @@ public class TokenManager {
verifyAccess(oldToken, newToken);
return new TokenValidation(user, userSession, clientSession, newToken);
}
public boolean isTokenValid(KeycloakSession session, RealmModel realm, AccessToken token) throws OAuthErrorException {
if (!token.isActive()) {
return false;
}
if (token.getIssuedAt() < realm.getNotBefore()) {
return false;
}
UserModel user = session.users().getUserById(token.getSubject(), realm);
if (user == null) {
return false;
}
if (!user.isEnabled()) {
return false;
}
UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState());
if (!AuthenticationManager.isSessionValid(realm, userSession)) {
return false;
}
return true;
}
public RefreshResult refreshAccessToken(KeycloakSession session, UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient, String encodedRefreshToken, EventBuilder event, HttpHeaders headers) throws OAuthErrorException {

View file

@ -31,6 +31,7 @@ import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.TokenManager.TokenValidation;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.ErrorResponseException;
@ -106,7 +107,8 @@ public class TokenIntrospectionEndpoint {
AccessToken toIntrospect = toAccessToken(tokenTypeHint, token);
ObjectNode tokenMetadata;
if (toIntrospect.isActive()) {
boolean active = tokenManager.isTokenValid(session, realm, toIntrospect);
if (active) {
tokenMetadata = JsonSerialization.createObjectNode(toIntrospect);
tokenMetadata.put("client_id", toIntrospect.getIssuedFor());
tokenMetadata.put("username", toIntrospect.getPreferredUsername());
@ -114,7 +116,7 @@ public class TokenIntrospectionEndpoint {
tokenMetadata = JsonSerialization.createObjectNode();
}
tokenMetadata.put("active", toIntrospect.isActive());
tokenMetadata.put("active", active);
this.event.success();

View file

@ -166,7 +166,7 @@ public class UsersResource {
attrsToRemove = Collections.emptySet();
}
if (rep.isEnabled() != null && rep.isEnabled()) {
if (rep.isEnabled() != null && rep.isEnabled() && rep.getUsername() != null) {
UsernameLoginFailureModel failureModel = session.sessions().getUserLoginFailure(realm, rep.getUsername().toLowerCase());
if (failureModel != null) {
failureModel.clearFailures();

View file

@ -23,6 +23,7 @@ import org.junit.Rule;
import org.junit.Test;
import org.keycloak.OAuth2Constants;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.common.util.Time;
import org.keycloak.events.Event;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
@ -31,6 +32,7 @@ import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.oidc.TokenMetadataRepresentation;
import org.keycloak.services.managers.ClientManager;
import org.keycloak.services.managers.RealmManager;
@ -41,6 +43,7 @@ import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.rule.KeycloakRule;
import org.keycloak.testsuite.rule.WebResource;
import org.keycloak.testsuite.rule.WebRule;
import org.keycloak.util.JsonSerialization;
import org.openqa.selenium.WebDriver;
import static org.junit.Assert.*;
@ -207,4 +210,90 @@ public class TokenIntrospectionTest {
events.clear();
}
@Test
public void testIntrospectAccessToken() throws Exception {
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
Event loginEvent = events.expectLogin().assertEvent();
AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");
String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getAccessToken());
TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
assertTrue(rep.isActive());
assertEquals("test-user@localhost", rep.getUserName());
assertEquals("test-app", rep.getClientId());
assertEquals(loginEvent.getUserId(), rep.getSubject());
events.clear();
}
@Test
public void testIntrospectAccessTokenSessionInvalid() throws Exception {
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");
oauth.doLogout(accessTokenResponse.getRefreshToken(), "password");
String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getAccessToken());
TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
assertFalse(rep.isActive());
assertNull(rep.getUserName());
assertNull(rep.getClientId());
assertNull(rep.getSubject());
events.clear();
}
@Test
public void testIntrospectAccessTokenUserDisabled() throws Exception {
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");
Event loginEvent = events.expectLogin().assertEvent();
UserRepresentation userRep = new UserRepresentation();
try {
userRep.setEnabled(false);
keycloak.realm(oauth.getRealm()).users().get(loginEvent.getUserId()).update(userRep);
String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getAccessToken());
TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
assertFalse(rep.isActive());
assertNull(rep.getUserName());
assertNull(rep.getClientId());
assertNull(rep.getSubject());
events.clear();
} finally {
userRep.setEnabled(true);
keycloak.realm(oauth.getRealm()).users().get(loginEvent.getUserId()).update(userRep);
}
}
@Test
public void testIntrospectAccessTokenExpired() throws Exception {
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");
try {
Time.setOffset(keycloak.realm(oauth.getRealm()).toRepresentation().getAccessTokenLifespan() + 1);
String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getAccessToken());
TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
assertFalse(rep.isActive());
assertNull(rep.getUserName());
assertNull(rep.getClientId());
assertNull(rep.getSubject());
events.clear();
} finally {
Time.setOffset(0);
}
}
}