libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

KEYCLOAK-4371 Offline Tokens still useless When SSO Session Max is Reached and normal userSession expired

Browse source
This commit is contained in:
mposolda 2017-02-03 11:53:22 +01:00
parent 652152f167
commit 8a16ab52a9
2 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
View file

@ -740,7 +740,7 @@ public class AuthenticationManager {
if (!isSessionValid(realm, userSession)) { if (!isSessionValid(realm, userSession)) {
// Check if accessToken was for the offline session. // Check if accessToken was for the offline session.
if (!isCookie) { if (!isCookie) {
UserSessionModel offlineUserSession = session.sessions().getUserSession(realm, token.getSessionState()); UserSessionModel offlineUserSession = session.sessions().getOfflineUserSession(realm, token.getSessionState());
if (isOfflineSessionValid(realm, offlineUserSession)) { if (isOfflineSessionValid(realm, offlineUserSession)) {
return new AuthResult(user, offlineUserSession, token); return new AuthResult(user, offlineUserSession, token);
} }

3
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java
View file

@ -465,6 +465,9 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
// Set the time offset, so that "normal" userSession expires // Set the time offset, so that "normal" userSession expires
setTimeOffset(86400); setTimeOffset(86400);
// Remove expired sessions. This will remove "normal" userSession
testingClient.testing().removeUserSessions(appRealm.toRepresentation().getId());
// Refresh with the offline token // Refresh with the offline token
tokenResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken(), "secret1"); tokenResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken(), "secret1");