KEYCLOAK-4521: consider offline sessions if no active user session was found for user info endpoint

2017-05-04 15:25:09 +02:00 · 2017-05-04 15:25:09 +02:00 · d5c643eaf9
commit d5c643eaf9
parent ee327b7eec
2 changed files with 35 additions and 1 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java
@ -141,6 +141,15 @@ public class UserInfoEndpoint {

        UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState());
        ClientSessionModel clientSession = session.sessions().getClientSession(token.getClientSession());
+        if( userSession == null ) {
+            userSession = session.sessions().getOfflineUserSession(realm, token.getSessionState());
+            if( AuthenticationManager.isOfflineSessionValid(realm, userSession)) {
+                clientSession = session.sessions().getOfflineClientSession(realm, token.getClientSession());
+            } else {
+                userSession = null;
+                clientSession = null;
+            }
+        }

        if (userSession == null) {
            event.error(Errors.USER_SESSION_NOT_FOUND);
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/UserInfoTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/UserInfoTest.java
@ -249,6 +249,24 @@ public class UserInfoTest extends AbstractKeycloakTest {
        }
    }

+    @Test
+    public void testSessionExpiredOfflineAccess() throws Exception {
+        Client client = ClientBuilder.newClient();
+
+        try {
+            AccessTokenResponse accessTokenResponse = executeGrantAccessTokenRequest(client, true);
+
+            testingClient.testing().removeUserSessions("test");
+
+            Response response = UserInfoClientUtil.executeUserInfoRequest_getMethod(client, accessTokenResponse.getToken());
+
+            testSuccessfulUserInfoResponse(response);
+            response.close();
+        } finally {
+            client.close();
+        }
+    }
+
    @Test
    public void testUnsuccessfulUserInfoRequest() throws Exception {
        Client client = ClientBuilder.newClient();
@ -274,8 +292,12 @@ public class UserInfoTest extends AbstractKeycloakTest {
    }

    private AccessTokenResponse executeGrantAccessTokenRequest(Client client) {
+        return executeGrantAccessTokenRequest(client, false);
+    }
+
+    private AccessTokenResponse executeGrantAccessTokenRequest(Client client, boolean requestOfflineToken) {
        UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
-        URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
+            URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
        WebTarget grantTarget = client.target(grantUri);

        String header = BasicAuthHelper.createHeader("test-app", "password");
@ -283,6 +305,9 @@ public class UserInfoTest extends AbstractKeycloakTest {
        form.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.PASSWORD)
                .param("username", "test-user@localhost")
                .param("password", "password");
+        if( requestOfflineToken) {
+            form.param("scope", "offline_access");
+        }

        Response response = grantTarget.request()
                .header(HttpHeaders.AUTHORIZATION, header)