KEYCLOAK-1710 UserInfoEndpoint throws NPE if user session is not found

This commit is contained in:
Stian Thorgersen 2015-07-27 15:28:58 +02:00
parent da9e42cb21
commit 8d90ad816a
2 changed files with 28 additions and 3 deletions

View file

@ -36,6 +36,7 @@ import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessToken;
import org.keycloak.services.ErrorResponseException; import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.managers.AppAuthManager; import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.resources.Cors; import org.keycloak.services.resources.Cors;
import org.keycloak.services.Urls; import org.keycloak.services.Urls;
@ -117,13 +118,17 @@ public class UserInfoEndpoint {
AccessToken token = null; AccessToken token = null;
try { try {
token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()), true);
} catch (Exception e) { } catch (Exception e) {
throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Token invalid", Status.FORBIDDEN); throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Token invalid", Status.FORBIDDEN);
} }
UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState()); UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState());
ClientSessionModel clientSession = session.sessions().getClientSession(token.getClientSession()); ClientSessionModel clientSession = session.sessions().getClientSession(token.getClientSession());
if (userSession == null || clientSession == null || !AuthenticationManager.isSessionValid(realm, userSession)) {
throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Token invalid", Status.FORBIDDEN);
}
ClientModel clientModel = realm.getClientByClientId(token.getIssuedFor()); ClientModel clientModel = realm.getClientByClientId(token.getIssuedFor());
UserModel userModel = userSession.getUser(); UserModel userModel = userSession.getUser();
AccessToken userInfo = new AccessToken(); AccessToken userInfo = new AccessToken();

View file

@ -25,6 +25,7 @@ import org.junit.ClassRule;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService; import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.representations.AccessTokenResponse; import org.keycloak.representations.AccessTokenResponse;
@ -54,8 +55,6 @@ import static org.junit.Assert.assertNotNull;
*/ */
public class UserInfoTest { public class UserInfoTest {
private static RealmModel realm;
@ClassRule @ClassRule
public static KeycloakRule keycloakRule = new KeycloakRule(); public static KeycloakRule keycloakRule = new KeycloakRule();
@ -88,6 +87,27 @@ public class UserInfoTest {
client.close(); client.close();
} }
@Test
public void testSessionExpired() throws Exception {
Client client = ClientBuilder.newClient();
UriBuilder builder = UriBuilder.fromUri(org.keycloak.testsuite.Constants.AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
AccessTokenResponse accessTokenResponse = executeGrantAccessTokenRequest(grantTarget);
KeycloakSession session = keycloakRule.startSession();
keycloakRule.startSession().sessions().removeUserSessions(session.realms().getRealm("test"));
keycloakRule.stopSession(session, true);
Response response = executeUserInfoRequest(accessTokenResponse.getToken());
assertEquals(Status.FORBIDDEN.getStatusCode(), response.getStatus());
response.close();
client.close();
}
@Test @Test
public void testUnsuccessfulUserInfoRequest() throws Exception { public void testUnsuccessfulUserInfoRequest() throws Exception {
Response response = executeUserInfoRequest("bad"); Response response = executeUserInfoRequest("bad");