[KEYCLOAK-7864] - Authorization claim not set in refresh token when issuing a new refresh token

2018-07-16 15:25:22 -03:00 · 2018-07-16 15:25:22 -03:00 · acc5f5c6d1
commit acc5f5c6d1
parent 2cb7ec9432
2 changed files with 34 additions and 1 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
@ -283,6 +283,10 @@ public class TokenManager {
                .accessToken(validation.newToken)
                .generateRefreshToken();

+        if (validation.newToken.getAuthorization() != null) {
+            responseBuilder.getRefreshToken().setAuthorization(validation.newToken.getAuthorization());
+        }
+
        // KEYCLOAK-6771 Certificate Bound Token
        // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-3.1
        // bind refreshed access and refresh token with Client Certificate
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaGrantTypeTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaGrantTypeTest.java
@ -354,7 +354,7 @@ public class UmaGrantTypeTest extends AbstractResourceServerTest {
    }

    @Test
-    public void testRefreshRpt() throws Exception {
+    public void testRefreshRpt() {
        AccessTokenResponse accessTokenResponse = getAuthzClient().obtainAccessToken("marta", "password");
        AuthorizationResponse response = authorize(null, null, null, null, accessTokenResponse.getToken(), null, null, new PermissionRequest("Resource A", "ScopeA", "ScopeB"));
        String rpt = response.getToken();
@ -376,6 +376,10 @@ public class UmaGrantTypeTest extends AbstractResourceServerTest {

        assertNotNull(refreshToken);

+        AccessToken refreshTokenToken = toAccessToken(refreshToken);
+
+        assertNotNull(refreshTokenToken.getAuthorization());
+
        Client client = ClientBuilder.newClient();
        UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
        URI uri = OIDCLoginProtocolService.tokenUrl(builder).build(REALM_NAME);
@ -391,6 +395,10 @@ public class UmaGrantTypeTest extends AbstractResourceServerTest {
                .post(Entity.form(parameters)).readEntity(AccessTokenResponse.class);

        assertNotNull(refreshTokenResponse.getToken());
+        refreshToken = refreshTokenResponse.getRefreshToken();
+        refreshTokenToken = toAccessToken(refreshToken);
+
+        assertNotNull(refreshTokenToken.getAuthorization());

        AccessToken refreshedToken = toAccessToken(rpt);
        authorization = refreshedToken.getAuthorization();
@ -402,6 +410,27 @@ public class UmaGrantTypeTest extends AbstractResourceServerTest {
        assertNotNull(permissions);
        assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
        assertTrue(permissions.isEmpty());
+
+        refreshTokenResponse = target.request()
+                .header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("resource-server-test", "secret"))
+                .post(Entity.form(parameters)).readEntity(AccessTokenResponse.class);
+
+        assertNotNull(refreshTokenResponse.getToken());
+        refreshToken = refreshTokenResponse.getRefreshToken();
+        refreshTokenToken = toAccessToken(refreshToken);
+
+        assertNotNull(refreshTokenToken.getAuthorization());
+
+        refreshedToken = toAccessToken(rpt);
+        authorization = refreshedToken.getAuthorization();
+
+        assertNotNull(authorization);
+
+        permissions = authorization.getPermissions();
+
+        assertNotNull(permissions);
+        assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
+        assertTrue(permissions.isEmpty());
    }

    @Test