Make sure refresh token expiration is based on the current time when the token is issued
Closes #27180 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
parent
0adc842ac7
commit
40385061f7
2 changed files with 37 additions and 10 deletions
|
@ -430,10 +430,6 @@ public class TokenManager {
|
||||||
|
|
||||||
validateTokenReuseForRefresh(session, realm, refreshToken, validation);
|
validateTokenReuseForRefresh(session, realm, refreshToken, validation);
|
||||||
|
|
||||||
int currentTime = Time.currentTime();
|
|
||||||
clientSession.setTimestamp(currentTime);
|
|
||||||
validation.userSession.setLastSessionRefresh(currentTime);
|
|
||||||
|
|
||||||
if (refreshToken.getAuthorization() != null) {
|
if (refreshToken.getAuthorization() != null) {
|
||||||
validation.newToken.setAuthorization(refreshToken.getAuthorization());
|
validation.newToken.setAuthorization(refreshToken.getAuthorization());
|
||||||
}
|
}
|
||||||
|
@ -1142,24 +1138,29 @@ public class TokenManager {
|
||||||
}
|
}
|
||||||
|
|
||||||
private void generateRefreshToken(boolean offlineTokenRequested) {
|
private void generateRefreshToken(boolean offlineTokenRequested) {
|
||||||
|
refreshToken = new RefreshToken(accessToken);
|
||||||
|
refreshToken.id(KeycloakModelUtils.generateId());
|
||||||
|
refreshToken.issuedNow();
|
||||||
|
int currentTime = Time.currentTime();
|
||||||
|
AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
|
||||||
|
clientSession.setTimestamp(currentTime);
|
||||||
|
UserSessionModel userSession = clientSession.getUserSession();
|
||||||
|
userSession.setLastSessionRefresh(currentTime);
|
||||||
|
|
||||||
if (offlineTokenRequested) {
|
if (offlineTokenRequested) {
|
||||||
UserSessionManager sessionManager = new UserSessionManager(session);
|
UserSessionManager sessionManager = new UserSessionManager(session);
|
||||||
if (!sessionManager.isOfflineTokenAllowed(clientSessionCtx)) {
|
if (!sessionManager.isOfflineTokenAllowed(clientSessionCtx)) {
|
||||||
event.error(Errors.NOT_ALLOWED);
|
event.error(Errors.NOT_ALLOWED);
|
||||||
throw new ErrorResponseException("not_allowed", "Offline tokens not allowed for the user or client", Response.Status.BAD_REQUEST);
|
throw new ErrorResponseException("not_allowed", "Offline tokens not allowed for the user or client", Response.Status.BAD_REQUEST);
|
||||||
}
|
}
|
||||||
|
|
||||||
refreshToken = new RefreshToken(accessToken);
|
|
||||||
refreshToken.type(TokenUtil.TOKEN_TYPE_OFFLINE);
|
refreshToken.type(TokenUtil.TOKEN_TYPE_OFFLINE);
|
||||||
if (realm.isOfflineSessionMaxLifespanEnabled())
|
if (realm.isOfflineSessionMaxLifespanEnabled()) {
|
||||||
refreshToken.expiration(getExpiration(true));
|
refreshToken.expiration(getExpiration(true));
|
||||||
|
}
|
||||||
sessionManager.createOrUpdateOfflineSession(clientSessionCtx.getClientSession(), userSession);
|
sessionManager.createOrUpdateOfflineSession(clientSessionCtx.getClientSession(), userSession);
|
||||||
} else {
|
} else {
|
||||||
refreshToken = new RefreshToken(accessToken);
|
|
||||||
refreshToken.expiration(getExpiration(false));
|
refreshToken.expiration(getExpiration(false));
|
||||||
}
|
}
|
||||||
refreshToken.id(KeycloakModelUtils.generateId());
|
|
||||||
refreshToken.issuedNow();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private int getExpiration(boolean offline) {
|
private int getExpiration(boolean offline) {
|
||||||
|
|
|
@ -2046,6 +2046,32 @@ public class EntitlementAPITest extends AbstractAuthzTest {
|
||||||
assertFalse(token.getAuthorization().getPermissions().isEmpty());
|
assertFalse(token.getAuthorization().getPermissions().isEmpty());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testTokenExpirationRenewalWhenIssuingTokens() {
|
||||||
|
oauth.realm("authz-test");
|
||||||
|
oauth.clientId(PUBLIC_TEST_CLIENT);
|
||||||
|
oauth.doLogin("marta", "password");
|
||||||
|
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
||||||
|
OAuthClient.AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, null);
|
||||||
|
assertNotNull(accessTokenResponse.getAccessToken());
|
||||||
|
assertNotNull(accessTokenResponse.getRefreshToken());
|
||||||
|
|
||||||
|
try {
|
||||||
|
for (int i = 0; i < 3; i++) {
|
||||||
|
AuthorizationRequest request = new AuthorizationRequest();
|
||||||
|
request.setAudience(RESOURCE_SERVER_TEST);
|
||||||
|
AuthorizationResponse authorizationResponse = getAuthzClient(PUBLIC_TEST_CLIENT_CONFIG).authorization(accessTokenResponse.getAccessToken()).authorize(request);
|
||||||
|
AccessToken refreshToken = toAccessToken(authorizationResponse.getRefreshToken());
|
||||||
|
AccessToken accessTokenToken = toAccessToken(authorizationResponse.getToken());
|
||||||
|
assertEquals(refreshToken.getExp() - refreshToken.getIat(), 1800);
|
||||||
|
assertEquals(accessTokenToken.getExp() - accessTokenToken.getIat(), 300);
|
||||||
|
setTimeOffset(i);
|
||||||
|
}
|
||||||
|
} finally {
|
||||||
|
resetTimeOffset();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testUsingExpiredToken() throws Exception {
|
public void testUsingExpiredToken() throws Exception {
|
||||||
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
|
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
|
||||||
|
|
Loading…
Reference in a new issue