Make sure refresh token expiration is based on the current time when the token is issued
Closes #27180 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
parent
0adc842ac7
commit
40385061f7
2 changed files with 37 additions and 10 deletions
|
@ -430,10 +430,6 @@ public class TokenManager {
|
|||
|
||||
validateTokenReuseForRefresh(session, realm, refreshToken, validation);
|
||||
|
||||
int currentTime = Time.currentTime();
|
||||
clientSession.setTimestamp(currentTime);
|
||||
validation.userSession.setLastSessionRefresh(currentTime);
|
||||
|
||||
if (refreshToken.getAuthorization() != null) {
|
||||
validation.newToken.setAuthorization(refreshToken.getAuthorization());
|
||||
}
|
||||
|
@ -1142,24 +1138,29 @@ public class TokenManager {
|
|||
}
|
||||
|
||||
private void generateRefreshToken(boolean offlineTokenRequested) {
|
||||
refreshToken = new RefreshToken(accessToken);
|
||||
refreshToken.id(KeycloakModelUtils.generateId());
|
||||
refreshToken.issuedNow();
|
||||
int currentTime = Time.currentTime();
|
||||
AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
|
||||
clientSession.setTimestamp(currentTime);
|
||||
UserSessionModel userSession = clientSession.getUserSession();
|
||||
userSession.setLastSessionRefresh(currentTime);
|
||||
|
||||
if (offlineTokenRequested) {
|
||||
UserSessionManager sessionManager = new UserSessionManager(session);
|
||||
if (!sessionManager.isOfflineTokenAllowed(clientSessionCtx)) {
|
||||
event.error(Errors.NOT_ALLOWED);
|
||||
throw new ErrorResponseException("not_allowed", "Offline tokens not allowed for the user or client", Response.Status.BAD_REQUEST);
|
||||
}
|
||||
|
||||
refreshToken = new RefreshToken(accessToken);
|
||||
refreshToken.type(TokenUtil.TOKEN_TYPE_OFFLINE);
|
||||
if (realm.isOfflineSessionMaxLifespanEnabled())
|
||||
if (realm.isOfflineSessionMaxLifespanEnabled()) {
|
||||
refreshToken.expiration(getExpiration(true));
|
||||
}
|
||||
sessionManager.createOrUpdateOfflineSession(clientSessionCtx.getClientSession(), userSession);
|
||||
} else {
|
||||
refreshToken = new RefreshToken(accessToken);
|
||||
refreshToken.expiration(getExpiration(false));
|
||||
}
|
||||
refreshToken.id(KeycloakModelUtils.generateId());
|
||||
refreshToken.issuedNow();
|
||||
}
|
||||
|
||||
private int getExpiration(boolean offline) {
|
||||
|
|
|
@ -2046,6 +2046,32 @@ public class EntitlementAPITest extends AbstractAuthzTest {
|
|||
assertFalse(token.getAuthorization().getPermissions().isEmpty());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testTokenExpirationRenewalWhenIssuingTokens() {
|
||||
oauth.realm("authz-test");
|
||||
oauth.clientId(PUBLIC_TEST_CLIENT);
|
||||
oauth.doLogin("marta", "password");
|
||||
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
||||
OAuthClient.AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, null);
|
||||
assertNotNull(accessTokenResponse.getAccessToken());
|
||||
assertNotNull(accessTokenResponse.getRefreshToken());
|
||||
|
||||
try {
|
||||
for (int i = 0; i < 3; i++) {
|
||||
AuthorizationRequest request = new AuthorizationRequest();
|
||||
request.setAudience(RESOURCE_SERVER_TEST);
|
||||
AuthorizationResponse authorizationResponse = getAuthzClient(PUBLIC_TEST_CLIENT_CONFIG).authorization(accessTokenResponse.getAccessToken()).authorize(request);
|
||||
AccessToken refreshToken = toAccessToken(authorizationResponse.getRefreshToken());
|
||||
AccessToken accessTokenToken = toAccessToken(authorizationResponse.getToken());
|
||||
assertEquals(refreshToken.getExp() - refreshToken.getIat(), 1800);
|
||||
assertEquals(accessTokenToken.getExp() - accessTokenToken.getIat(), 300);
|
||||
setTimeOffset(i);
|
||||
}
|
||||
} finally {
|
||||
resetTimeOffset();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testUsingExpiredToken() throws Exception {
|
||||
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
|
||||
|
|
Loading…
Reference in a new issue