KEYCLOAK-15437 Ensure at_hash is generated for IDTokens on token-refresh

2021-05-18 14:35:44 +02:00 · 2021-05-18 14:35:44 +02:00 · c49dbd66fa
commit c49dbd66fa
parent 860fc4c06c
2 changed files with 28 additions and 1 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
@ -365,7 +365,7 @@ public class TokenManager {

        String scopeParam = clientSession.getNote(OAuth2Constants.SCOPE);
        if (TokenUtil.isOIDCRequest(scopeParam)) {
-            responseBuilder.generateIDToken();
+            responseBuilder.generateIDToken().generateAccessTokenHash();
        }

        AccessTokenResponse res = responseBuilder.build();
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java
@ -40,6 +40,7 @@ import org.keycloak.protocol.oidc.OIDCConfigAttributes;
 import org.keycloak.protocol.oidc.OIDCLoginProtocol;
 import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
 import org.keycloak.representations.AccessToken;
+import org.keycloak.representations.IDToken;
 import org.keycloak.representations.RefreshToken;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.EventRepresentation;
@ -273,6 +274,7 @@ public class RefreshTokenTest extends AbstractKeycloakTest {

        setTimeOffset(0);
    }
+
    @Test
    public void refreshTokenWithAccessToken() throws Exception {
        oauth.doLogin("test-user@localhost", "password");
@ -286,6 +288,31 @@ public class RefreshTokenTest extends AbstractKeycloakTest {
        OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(accessTokenString, "password");

        Assert.assertNotEquals(200, response.getStatusCode());
+
+        setTimeOffset(0);
+    }
+
+    /**
+     * KEYCLOAK-15437
+     */
+    @Test
+    public void tokenRefreshWithAccessTokenShouldReturnIdTokenWithAccessTokenHash() {
+        oauth.doLogin("test-user@localhost", "password");
+
+        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+
+        OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
+        String refreshToken = tokenResponse.getRefreshToken();
+
+        setTimeOffset(2);
+        try {
+            OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(refreshToken, "password");
+            Assert.assertEquals(200, response.getStatusCode());
+            IDToken idToken = oauth.verifyToken(response.getIdToken());
+            Assert.assertNotNull("AccessTokenHash should not be null after token refresh", idToken.getAccessTokenHash());
+        } finally {
+            setTimeOffset(0);
+        }
    }

    @Test