Merge pull request #599 from patriot1burke/master

KEYCLOAK-547

services/src/main/java/org/keycloak/services/resources/TokenService.java

@@ -429,6 +429,14 @@ public class TokenService {
 
         ClientModel client = authorizeClient(authorizationHeader, form, audit);
         String refreshToken = form.getFirst(OAuth2Constants.REFRESH_TOKEN);
+        if (refreshToken == null) {
+            Map<String, String> error = new HashMap<String, String>();
+            error.put(OAuth2Constants.ERROR, OAuthErrorException.INVALID_REQUEST);
+            error.put(OAuth2Constants.ERROR_DESCRIPTION, "No refresh token");
+            audit.error(Errors.INVALID_TOKEN);
+            logger.error("OAuth Error: no refresh token");
+            return Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build();
+        }
         AccessToken accessToken;
         try {
             accessToken = tokenManager.refreshAccessToken(session, uriInfo, clientConnection, realm, client, refreshToken, audit);

testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java

@@ -34,6 +34,7 @@ import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserSessionModel;
 import org.keycloak.representations.AccessToken;
 import org.keycloak.representations.RefreshToken;
+import org.keycloak.services.resources.TokenService;
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.OAuthClient;
 import org.keycloak.testsuite.OAuthClient.AccessTokenResponse;
@@ -41,9 +42,22 @@ import org.keycloak.testsuite.pages.LoginPage;
 import org.keycloak.testsuite.rule.KeycloakRule;
 import org.keycloak.testsuite.rule.WebResource;
 import org.keycloak.testsuite.rule.WebRule;
+import org.keycloak.util.BasicAuthHelper;
 import org.keycloak.util.Time;
 import org.openqa.selenium.WebDriver;
 
+import javax.ws.rs.client.Client;
+import javax.ws.rs.client.ClientBuilder;
+import javax.ws.rs.client.Entity;
+import javax.ws.rs.client.WebTarget;
+import javax.ws.rs.core.Form;
+import javax.ws.rs.core.GenericType;
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriBuilder;
+import java.net.URI;
+import java.util.HashMap;
+
 import static org.hamcrest.Matchers.allOf;
 import static org.hamcrest.Matchers.greaterThan;
 import static org.hamcrest.Matchers.greaterThanOrEqualTo;
@@ -75,6 +89,33 @@ public class RefreshTokenTest {
     @Rule
     public AssertEvents events = new AssertEvents(keycloakRule);
 
+    /**
+     * KEYCLOAK-547
+     *
+     * @throws Exception
+     */
+    @Test
+    public void nullRefreshToken() throws Exception {
+        Client client = ClientBuilder.newClient();
+        UriBuilder builder = UriBuilder.fromUri(org.keycloak.testsuite.Constants.AUTH_SERVER_ROOT);
+        URI uri = TokenService.refreshUrl(builder).build("test");
+        WebTarget target = client.target(uri);
+
+        org.keycloak.representations.AccessTokenResponse tokenResponse = null;
+        {
+            String header = BasicAuthHelper.createHeader("test-app", "password");
+            Form form = new Form();
+            Response response = target.request()
+                    .header(HttpHeaders.AUTHORIZATION, header)
+                    .post(Entity.form(form));
+            Assert.assertEquals(400, response.getStatus());
+            response.close();
+        }
+        events.clear();
+
+
+    }
+
     @Test
     public void refreshTokenRequest() throws Exception {
         oauth.doLogin("test-user@localhost", "password");