libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

KEYCLOAK-15437 Ensure at_hash is generated for IDTokens on token-refresh

Browse source
This commit is contained in:
Thomas Darimont 2021-05-18 14:35:44 +02:00 committed by Marek Posolda
parent 860fc4c06c
commit c49dbd66fa
2 changed files with 28 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
View file

@ -365,7 +365,7 @@ public class TokenManager {
String scopeParam = clientSession.getNote(OAuth2Constants.SCOPE); String scopeParam = clientSession.getNote(OAuth2Constants.SCOPE);
if (TokenUtil.isOIDCRequest(scopeParam)) { if (TokenUtil.isOIDCRequest(scopeParam)) {
responseBuilder.generateIDToken(); responseBuilder.generateIDToken().generateAccessTokenHash();
} }
AccessTokenResponse res = responseBuilder.build(); AccessTokenResponse res = responseBuilder.build();

27
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java
View file

@ -40,6 +40,7 @@ import org.keycloak.protocol.oidc.OIDCConfigAttributes;
import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService; import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.RefreshToken; import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.EventRepresentation; import org.keycloak.representations.idm.EventRepresentation;
@ -273,6 +274,7 @@ public class RefreshTokenTest extends AbstractKeycloakTest {
setTimeOffset(0); setTimeOffset(0);
} }
@Test @Test
public void refreshTokenWithAccessToken() throws Exception { public void refreshTokenWithAccessToken() throws Exception {
oauth.doLogin("test-user@localhost", "password"); oauth.doLogin("test-user@localhost", "password");
@ -286,6 +288,31 @@ public class RefreshTokenTest extends AbstractKeycloakTest {
OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(accessTokenString, "password"); OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(accessTokenString, "password");
Assert.assertNotEquals(200, response.getStatusCode()); Assert.assertNotEquals(200, response.getStatusCode());
setTimeOffset(0);
}
/**
* KEYCLOAK-15437
*/
@Test
public void tokenRefreshWithAccessTokenShouldReturnIdTokenWithAccessTokenHash() {
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
String refreshToken = tokenResponse.getRefreshToken();
setTimeOffset(2);
try {
OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(refreshToken, "password");
Assert.assertEquals(200, response.getStatusCode());
IDToken idToken = oauth.verifyToken(response.getIdToken());
Assert.assertNotNull("AccessTokenHash should not be null after token refresh", idToken.getAccessTokenHash());
} finally {
setTimeOffset(0);
}
} }
@Test @Test