Merge pull request #3835 from mposolda/KEYCLOAK-4371

KEYCLOAK-4371 Offline Tokens still useless When SSO Session Max is Re…

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

@@ -740,7 +740,7 @@ public class AuthenticationManager {
             if (!isSessionValid(realm, userSession)) {
                 // Check if accessToken was for the offline session.
                 if (!isCookie) {
-                    UserSessionModel offlineUserSession = session.sessions().getUserSession(realm, token.getSessionState());
+                    UserSessionModel offlineUserSession = session.sessions().getOfflineUserSession(realm, token.getSessionState());
                     if (isOfflineSessionValid(realm, offlineUserSession)) {
                         return new AuthResult(user, offlineUserSession, token);
                     }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java

@@ -465,6 +465,9 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
         // Set the time offset, so that "normal" userSession expires
         setTimeOffset(86400);
 
+        // Remove expired sessions. This will remove "normal" userSession
+        testingClient.testing().removeUserSessions(appRealm.toRepresentation().getId());
+
         // Refresh with the offline token
         tokenResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken(), "secret1");