diff --git a/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java b/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java index 8e8c576e93..0785420b67 100644 --- a/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java +++ b/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java @@ -153,7 +153,8 @@ public class RestartLoginCookie { } String encodedCookie = cook.getValue(); JWSInput input = new JWSInput(encodedCookie); - SecretKey secretKey = session.keys().getHmacSecretKey(realm, input.getHeader().getKeyId()); + String kid = input.getHeader().getKeyId(); + SecretKey secretKey = kid == null ? session.keys().getActiveHmacKey(realm).getSecretKey() : session.keys().getHmacSecretKey(realm, input.getHeader().getKeyId()); if (secretKey == null) { logger.debug("Failed to retrieve HMAC secret key for session restart"); return null; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java index 375070b4b0..0bac68d1bd 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java @@ -88,9 +88,9 @@ public class RestartCookieTest extends AbstractTestRealmKeycloakTest { } - // KEYCLOAK-5440 + // KEYCLOAK-5440 -- migration from Keycloak 3.1.0 @Test - public void testRestartCookieBackwardsCompatible() throws IOException, MessagingException { + public void testRestartCookieBackwardsCompatible_Keycloak25() throws IOException, MessagingException { String oldRestartCookie = testingClient.server().fetchString((KeycloakSession session) -> { try { String cookieVal = OLD_RESTART_COOKIE_JSON.replace("\n", "").replace(" ", ""); @@ -125,4 +125,44 @@ public class RestartCookieTest extends AbstractTestRealmKeycloakTest { .client((String) null) .assertEvent(); } + + + // KEYCLOAK-7158 -- migration from Keycloak 1.9.8 + @Test + public void testRestartCookieBackwardsCompatible_Keycloak19() throws IOException, MessagingException { + String oldRestartCookie = testingClient.server().fetchString((KeycloakSession session) -> { + try { + String cookieVal = OLD_RESTART_COOKIE_JSON.replace("\n", "").replace(" ", ""); + RealmModel realm = session.realms().getRealmByName("test"); + + KeyManager.ActiveHmacKey activeKey = session.keys().getActiveHmacKey(realm); + + // There was no KID in the token in Keycloak 1.9.8 + String encodedToken = new JWSBuilder() + //.kid(activeKey.getKid()) + .content(cookieVal.getBytes("UTF-8")) + .hmac256(activeKey.getSecretKey()); + + return encodedToken; + + + } catch (IOException ioe) { + throw new RuntimeException(ioe); + } + }); + + oauth.openLoginForm(); + + driver.manage().deleteAllCookies(); + driver.manage().addCookie(new Cookie(RestartLoginCookie.KC_RESTART, oldRestartCookie)); + + loginPage.login("foo", "bar"); + loginPage.assertCurrent(); + Assert.assertEquals("You took too long to login. Login process starting from beginning.", loginPage.getError()); + + events.expectLogin().user((String) null).session((String) null).error(Errors.EXPIRED_CODE).clearDetails() + .detail(Details.RESTART_AFTER_TIMEOUT, "true") + .client((String) null) + .assertEvent(); + } }