libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

Make sure refresh token expiration is based on the current time when the token is issued

Browse source 
Closes #27180

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor 2024-03-07 08:20:27 -03:00 committed by Marek Posolda
parent 0adc842ac7
commit 40385061f7
2 changed files with 37 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
View file

@ -430,10 +430,6 @@ public class TokenManager {
validateTokenReuseForRefresh(session, realm, refreshToken, validation); validateTokenReuseForRefresh(session, realm, refreshToken, validation);
int currentTime = Time.currentTime();
clientSession.setTimestamp(currentTime);
validation.userSession.setLastSessionRefresh(currentTime);
if (refreshToken.getAuthorization() != null) { if (refreshToken.getAuthorization() != null) {
validation.newToken.setAuthorization(refreshToken.getAuthorization()); validation.newToken.setAuthorization(refreshToken.getAuthorization());
} }
@ -1142,24 +1138,29 @@ public class TokenManager {
} }
private void generateRefreshToken(boolean offlineTokenRequested) { private void generateRefreshToken(boolean offlineTokenRequested) {
refreshToken = new RefreshToken(accessToken);
refreshToken.id(KeycloakModelUtils.generateId());
refreshToken.issuedNow();
int currentTime = Time.currentTime();
AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
clientSession.setTimestamp(currentTime);
UserSessionModel userSession = clientSession.getUserSession();
userSession.setLastSessionRefresh(currentTime);
if (offlineTokenRequested) { if (offlineTokenRequested) {
UserSessionManager sessionManager = new UserSessionManager(session); UserSessionManager sessionManager = new UserSessionManager(session);
if (!sessionManager.isOfflineTokenAllowed(clientSessionCtx)) { if (!sessionManager.isOfflineTokenAllowed(clientSessionCtx)) {
event.error(Errors.NOT_ALLOWED); event.error(Errors.NOT_ALLOWED);
throw new ErrorResponseException("not_allowed", "Offline tokens not allowed for the user or client", Response.Status.BAD_REQUEST); throw new ErrorResponseException("not_allowed", "Offline tokens not allowed for the user or client", Response.Status.BAD_REQUEST);
} }
refreshToken = new RefreshToken(accessToken);
refreshToken.type(TokenUtil.TOKEN_TYPE_OFFLINE); refreshToken.type(TokenUtil.TOKEN_TYPE_OFFLINE);
if (realm.isOfflineSessionMaxLifespanEnabled()) if (realm.isOfflineSessionMaxLifespanEnabled()) {
refreshToken.expiration(getExpiration(true)); refreshToken.expiration(getExpiration(true));
}
sessionManager.createOrUpdateOfflineSession(clientSessionCtx.getClientSession(), userSession); sessionManager.createOrUpdateOfflineSession(clientSessionCtx.getClientSession(), userSession);
} else { } else {
refreshToken = new RefreshToken(accessToken);
refreshToken.expiration(getExpiration(false)); refreshToken.expiration(getExpiration(false));
} }
refreshToken.id(KeycloakModelUtils.generateId());
refreshToken.issuedNow();
} }
private int getExpiration(boolean offline) { private int getExpiration(boolean offline) {

26
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java
View file

@ -2046,6 +2046,32 @@ public class EntitlementAPITest extends AbstractAuthzTest {
assertFalse(token.getAuthorization().getPermissions().isEmpty()); assertFalse(token.getAuthorization().getPermissions().isEmpty());
} }
@Test
public void testTokenExpirationRenewalWhenIssuingTokens() {
oauth.realm("authz-test");
oauth.clientId(PUBLIC_TEST_CLIENT);
oauth.doLogin("marta", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, null);
assertNotNull(accessTokenResponse.getAccessToken());
assertNotNull(accessTokenResponse.getRefreshToken());
try {
for (int i = 0; i < 3; i++) {
AuthorizationRequest request = new AuthorizationRequest();
request.setAudience(RESOURCE_SERVER_TEST);
AuthorizationResponse authorizationResponse = getAuthzClient(PUBLIC_TEST_CLIENT_CONFIG).authorization(accessTokenResponse.getAccessToken()).authorize(request);
AccessToken refreshToken = toAccessToken(authorizationResponse.getRefreshToken());
AccessToken accessTokenToken = toAccessToken(authorizationResponse.getToken());
assertEquals(refreshToken.getExp() - refreshToken.getIat(), 1800);
assertEquals(accessTokenToken.getExp() - accessTokenToken.getIat(), 300);
setTimeOffset(i);
}
} finally {
resetTimeOffset();
}
}
@Test @Test
public void testUsingExpiredToken() throws Exception { public void testUsingExpiredToken() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST); ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);