KEYCLOAK-6615 Remove offline session from database on offline token logout

remove offline token from database on offline session logout
This commit is contained in:
cgol 2018-02-15 12:06:50 +10:30 committed by Hynek Mlnařík
parent b367e94261
commit 86a8addf49
2 changed files with 49 additions and 1 deletions

View file

@ -211,7 +211,7 @@ public class AuthenticationManager {
userSession.setState(UserSessionModel.State.LOGGED_OUT);
if (offlineSession) {
session.sessions().removeOfflineUserSession(realm, userSession);
new UserSessionManager(session).revokeOfflineUserSession(userSession);
} else {
session.sessions().removeUserSession(realm, userSession);
}

View file

@ -568,4 +568,52 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
assertEquals(400, response.getStatusCode());
}
@Test
public void browserOfflineTokenLogoutFollowedByLoginSameSession() throws Exception {
oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
oauth.clientId("offline-client");
oauth.redirectUri(offlineClientAppUri);
oauth.doLogin("test-user@localhost", "password");
EventRepresentation loginEvent = events.expectLogin()
.client("offline-client")
.detail(Details.REDIRECT_URI, offlineClientAppUri)
.assertEvent();
final String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "secret1");
oauth.verifyToken(tokenResponse.getAccessToken());
String offlineTokenString = tokenResponse.getRefreshToken();
RefreshToken offlineToken = oauth.verifyRefreshToken(offlineTokenString);
events.expectCodeToToken(codeId, sessionId)
.client("offline-client")
.detail(Details.REFRESH_TOKEN_TYPE, TokenUtil.TOKEN_TYPE_OFFLINE)
.assertEvent();
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
assertEquals(0, offlineToken.getExpiration());
CloseableHttpResponse logoutResponse = oauth.doLogout(offlineTokenString, "secret1");
assertEquals(204, logoutResponse.getStatusLine().getStatusCode());
// after KEYCLOAK-6617 this will no longer work - will need to login again.
oauth.openLoginForm();
String code2 = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse tokenResponse2 = oauth.doAccessTokenRequest(code2, "secret1");
assertEquals(200, tokenResponse2.getStatusCode());
oauth.verifyToken(tokenResponse2.getAccessToken());
String offlineTokenString2 = tokenResponse2.getRefreshToken();
RefreshToken offlineToken2 = oauth.verifyRefreshToken(offlineTokenString2);
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken2.getType());
assertEquals(0, offlineToken2.getExpiration());
}
}