Make sure refresh token expiration is based on the current time when the token is issued

Closes #27180

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor 2024-03-07 08:20:27 -03:00 committed by Marek Posolda
parent 0adc842ac7
commit 40385061f7
2 changed files with 37 additions and 10 deletions

View file

@ -430,10 +430,6 @@ public class TokenManager {
validateTokenReuseForRefresh(session, realm, refreshToken, validation);
int currentTime = Time.currentTime();
clientSession.setTimestamp(currentTime);
validation.userSession.setLastSessionRefresh(currentTime);
if (refreshToken.getAuthorization() != null) {
validation.newToken.setAuthorization(refreshToken.getAuthorization());
}
@ -1142,24 +1138,29 @@ public class TokenManager {
}
private void generateRefreshToken(boolean offlineTokenRequested) {
refreshToken = new RefreshToken(accessToken);
refreshToken.id(KeycloakModelUtils.generateId());
refreshToken.issuedNow();
int currentTime = Time.currentTime();
AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
clientSession.setTimestamp(currentTime);
UserSessionModel userSession = clientSession.getUserSession();
userSession.setLastSessionRefresh(currentTime);
if (offlineTokenRequested) {
UserSessionManager sessionManager = new UserSessionManager(session);
if (!sessionManager.isOfflineTokenAllowed(clientSessionCtx)) {
event.error(Errors.NOT_ALLOWED);
throw new ErrorResponseException("not_allowed", "Offline tokens not allowed for the user or client", Response.Status.BAD_REQUEST);
}
refreshToken = new RefreshToken(accessToken);
refreshToken.type(TokenUtil.TOKEN_TYPE_OFFLINE);
if (realm.isOfflineSessionMaxLifespanEnabled())
if (realm.isOfflineSessionMaxLifespanEnabled()) {
refreshToken.expiration(getExpiration(true));
}
sessionManager.createOrUpdateOfflineSession(clientSessionCtx.getClientSession(), userSession);
} else {
refreshToken = new RefreshToken(accessToken);
refreshToken.expiration(getExpiration(false));
}
refreshToken.id(KeycloakModelUtils.generateId());
refreshToken.issuedNow();
}
private int getExpiration(boolean offline) {

View file

@ -2046,6 +2046,32 @@ public class EntitlementAPITest extends AbstractAuthzTest {
assertFalse(token.getAuthorization().getPermissions().isEmpty());
}
@Test
public void testTokenExpirationRenewalWhenIssuingTokens() {
oauth.realm("authz-test");
oauth.clientId(PUBLIC_TEST_CLIENT);
oauth.doLogin("marta", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, null);
assertNotNull(accessTokenResponse.getAccessToken());
assertNotNull(accessTokenResponse.getRefreshToken());
try {
for (int i = 0; i < 3; i++) {
AuthorizationRequest request = new AuthorizationRequest();
request.setAudience(RESOURCE_SERVER_TEST);
AuthorizationResponse authorizationResponse = getAuthzClient(PUBLIC_TEST_CLIENT_CONFIG).authorization(accessTokenResponse.getAccessToken()).authorize(request);
AccessToken refreshToken = toAccessToken(authorizationResponse.getRefreshToken());
AccessToken accessTokenToken = toAccessToken(authorizationResponse.getToken());
assertEquals(refreshToken.getExp() - refreshToken.getIat(), 1800);
assertEquals(accessTokenToken.getExp() - accessTokenToken.getIat(), 300);
setTimeOffset(i);
}
} finally {
resetTimeOffset();
}
}
@Test
public void testUsingExpiredToken() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);