From 541063f2cee5dc60bd0f5bff5c8388025272c902 Mon Sep 17 00:00:00 2001
From: Helder Alves <helder.jaspion@gmail.com>
Date: Wed, 29 Jul 2020 11:12:29 -0300
Subject: [PATCH] KEYCLOAK-14940 refresh expired idtoken

---
 .../RefreshableKeycloakSecurityContext.java   | 21 ++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
index 3d4ad9cc5c..37f5f09bdf 100755
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
@@ -63,6 +63,18 @@ public class RefreshableKeycloakSecurityContext extends KeycloakSecurityContext
         return super.getTokenString();
     }
 
+    @Override
+    public IDToken getIdToken() {
+        refreshExpiredToken(true);
+        return super.getIdToken();
+    }
+
+    @Override
+    public String getIdTokenString() {
+        refreshExpiredToken(true);
+        return super.getIdTokenString();
+    }
+
     public String getRefreshToken() {
         return refreshToken;
     }
@@ -139,25 +151,28 @@ public class RefreshableKeycloakSecurityContext extends KeycloakSecurityContext
             }
             String tokenString = response.getToken();
             AccessToken token = null;
+            IDToken idToken = null;
             try {
                 AdapterTokenVerifier.VerifiedTokens tokens = AdapterTokenVerifier.verifyTokens(tokenString, response.getIdToken(), deployment);
                 token = tokens.getAccessToken();
+                idToken = tokens.getIdToken();
                 log.debug("Token Verification succeeded!");
             } catch (VerificationException e) {
                 log.error("failed verification of token");
                 return false;
             }
-
             // If the TTL is greater-or-equal to the expire time on the refreshed token, have to abort or go into an infinite refresh loop
             if (!isTokenTimeToLiveSufficient(token)) {
                 log.error("failed to refresh the token with a longer time-to-live than the minimum");
                 return false;
             }
-
             if (response.getNotBeforePolicy() > deployment.getNotBefore()) {
                 deployment.updateNotBefore(response.getNotBeforePolicy());
             }
-
+            if (idToken != null) {
+                this.idToken = idToken;
+                this.idTokenString = response.getIdToken();
+            }
             this.token = token;
             if (response.getRefreshToken() != null) {
                 if (log.isTraceEnabled()) {