KEYCLOAK-18296 RefreshTokenRequest returns incorrect error code during failed HoK request

2021-05-27 17:46:47 +09:00 · 2021-05-27 17:46:47 +09:00 · 669556af71
commit 669556af71
parent c52d0babce
2 changed files with 3 additions and 3 deletions
--- a/services/src/main/java/org/keycloak/services/clientpolicy/executor/HolderOfKeyEnforcerExecutor.java
+++ b/services/src/main/java/org/keycloak/services/clientpolicy/executor/HolderOfKeyEnforcerExecutor.java
@ -180,7 +180,7 @@ public class HolderOfKeyEnforcerExecutor implements ClientPolicyExecutorProvider
        }

        if (!MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(refreshToken, request, session)) {
-            throw new ClientPolicyException(Errors.NOT_ALLOWED, MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC, Response.Status.UNAUTHORIZED);
+            throw new ClientPolicyException(OAuthErrorException.INVALID_GRANT, MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC, Response.Status.BAD_REQUEST);
        }
    }

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientPoliciesTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientPoliciesTest.java
@ -2226,8 +2226,8 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
        }  catch (IOException ioe) {
            throw new RuntimeException(ioe);
        }
-        assertEquals(401, accessTokenResponseRefreshed.getStatusCode());
-        assertEquals(Errors.NOT_ALLOWED, accessTokenResponseRefreshed.getError());
+        assertEquals(400, accessTokenResponseRefreshed.getStatusCode());
+        assertEquals(OAuthErrorException.INVALID_GRANT, accessTokenResponseRefreshed.getError());

        // Check token revoke with other certificate
        try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithOtherKeyStoreAndTrustStore()) {