libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

KEYCLOAK-10013 Do not reject tokens with issuedAt == notBefore

Browse source
This commit is contained in:
mhajas 2019-04-10 09:54:42 +02:00 committed by Marek Posolda
parent 92567d5a77
commit 5b47df8979
2 changed files with 20 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
View file

@ -76,7 +76,7 @@ public class RefreshableKeycloakSecurityContext extends KeycloakSecurityContext
}
public boolean isActive() {
return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() > deployment.getNotBefore();
return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() >= deployment.getNotBefore();
}
public boolean isTokenTimeToLiveSufficient(AccessToken token) {

19
adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java
View file

@ -4,6 +4,8 @@ import org.junit.Test;
import org.keycloak.representations.oidc.TokenMetadataRepresentation;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
/**
* @author github.com/tubbynl
*
@ -20,4 +22,21 @@ public class RefreshableKeycloakSecurityContextTest {
// verify false if null deployment (KEYCLOAK-3050; yielded a npe)
assertFalse(sut.isActive());
}
@Test
public void sameIssuedAtAsNotBeforeIsActiveKEYCLOAK10013() {
KeycloakDeployment keycloakDeployment = new KeycloakDeployment();
keycloakDeployment.setNotBefore(5000);
TokenMetadataRepresentation token = new TokenMetadataRepresentation();
token.setActive(true);
token.issuedAt(4999);
RefreshableKeycloakSecurityContext sut = new RefreshableKeycloakSecurityContext(keycloakDeployment,null,null,token,null, null, null);
assertFalse(sut.isActive());
token.issuedAt(5000);
assertTrue(sut.isActive());
}
}