From c49dbd66fa7060ca0730c46ed48d759e32da1136 Mon Sep 17 00:00:00 2001 From: Thomas Darimont Date: Tue, 18 May 2021 14:35:44 +0200 Subject: [PATCH] KEYCLOAK-15437 Ensure at_hash is generated for IDTokens on token-refresh --- .../keycloak/protocol/oidc/TokenManager.java | 2 +- .../testsuite/oauth/RefreshTokenTest.java | 27 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java index ba0864fc34..34e20985a8 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java @@ -365,7 +365,7 @@ public class TokenManager { String scopeParam = clientSession.getNote(OAuth2Constants.SCOPE); if (TokenUtil.isOIDCRequest(scopeParam)) { - responseBuilder.generateIDToken(); + responseBuilder.generateIDToken().generateAccessTokenHash(); } AccessTokenResponse res = responseBuilder.build(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java index 441394d3e2..6ace997d27 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java @@ -40,6 +40,7 @@ import org.keycloak.protocol.oidc.OIDCConfigAttributes; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.OIDCLoginProtocolService; import org.keycloak.representations.AccessToken; +import org.keycloak.representations.IDToken; import org.keycloak.representations.RefreshToken; import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.EventRepresentation; @@ -273,6 +274,7 @@ public class RefreshTokenTest extends AbstractKeycloakTest { setTimeOffset(0); } + @Test public void refreshTokenWithAccessToken() throws Exception { oauth.doLogin("test-user@localhost", "password"); @@ -286,6 +288,31 @@ public class RefreshTokenTest extends AbstractKeycloakTest { OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(accessTokenString, "password"); Assert.assertNotEquals(200, response.getStatusCode()); + + setTimeOffset(0); + } + + /** + * KEYCLOAK-15437 + */ + @Test + public void tokenRefreshWithAccessTokenShouldReturnIdTokenWithAccessTokenHash() { + oauth.doLogin("test-user@localhost", "password"); + + String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); + + OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password"); + String refreshToken = tokenResponse.getRefreshToken(); + + setTimeOffset(2); + try { + OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(refreshToken, "password"); + Assert.assertEquals(200, response.getStatusCode()); + IDToken idToken = oauth.verifyToken(response.getIdToken()); + Assert.assertNotNull("AccessTokenHash should not be null after token refresh", idToken.getAccessTokenHash()); + } finally { + setTimeOffset(0); + } } @Test