KEYCLOAK-1961

Same token can be used multiple times to obtain access token
This commit is contained in:
Stian Thorgersen 2015-10-14 20:16:26 +02:00
parent e1fc863421
commit e582de2837
17 changed files with 213 additions and 4 deletions

View file

@ -48,5 +48,11 @@
<addPrimaryKey columnNames="USER_SESSION_ID, OFFLINE" constraintName="CONSTRAINT_OFFLINE_US_SES_PK" tableName="OFFLINE_USER_SESSION"/> <addPrimaryKey columnNames="USER_SESSION_ID, OFFLINE" constraintName="CONSTRAINT_OFFLINE_US_SES_PK" tableName="OFFLINE_USER_SESSION"/>
<addPrimaryKey columnNames="CLIENT_SESSION_ID, OFFLINE" constraintName="CONSTRAINT_OFFLINE_CL_SES_PK" tableName="OFFLINE_CLIENT_SESSION"/> <addPrimaryKey columnNames="CLIENT_SESSION_ID, OFFLINE" constraintName="CONSTRAINT_OFFLINE_CL_SES_PK" tableName="OFFLINE_CLIENT_SESSION"/>
<addColumn tableName="REALM">
<column name="REVOKE_REFRESH_TOKEN" type="BOOLEAN" defaultValueBoolean="false">
<constraints nullable="false"/>
</column>
</addColumn>
</changeSet> </changeSet>
</databaseChangeLog> </databaseChangeLog>

View file

@ -10,6 +10,7 @@ public class RealmRepresentation {
protected String id; protected String id;
protected String realm; protected String realm;
protected Integer notBefore; protected Integer notBefore;
protected Boolean revokeRefreshToken;
protected Integer accessTokenLifespan; protected Integer accessTokenLifespan;
protected Integer ssoSessionIdleTimeout; protected Integer ssoSessionIdleTimeout;
protected Integer ssoSessionMaxLifespan; protected Integer ssoSessionMaxLifespan;
@ -166,6 +167,14 @@ public class RealmRepresentation {
this.sslRequired = sslRequired; this.sslRequired = sslRequired;
} }
public Boolean getRevokeRefreshToken() {
return revokeRefreshToken;
}
public void setRevokeRefreshToken(Boolean revokeRefreshToken) {
this.revokeRefreshToken = revokeRefreshToken;
}
public Integer getAccessTokenLifespan() { public Integer getAccessTokenLifespan() {
return accessTokenLifespan; return accessTokenLifespan;
} }

View file

@ -79,6 +79,19 @@
<section> <section>
<title>Version specific migration</title> <title>Version specific migration</title>
<section>
<title>Migrating to 1.6.0.Final</title>
<simplesect>
<title>Refresh tokens are not reusable anymore</title>
<para>
Old versions of Keycloak allowed reusing refresh tokens multiple times. Keycloak no longer permits
this by default. When a refresh token is used to obtain a new access token a new refresh token is also
included. This new refresh token should be used next time the access token is refreshed. If this is
a problem for you it's possible to enable reuse of refresh tokens in the admin console under token
settings.
</para>
</simplesect>
</section>
<section> <section>
<title>Migrating to 1.5.0.Final</title> <title>Migrating to 1.5.0.Final</title>
<simplesect> <simplesect>

View file

@ -66,6 +66,8 @@ realm-cache-enabled=Realm Cache Enabled
realm-cache-enabled.tooltip=Enable/disable cache for realm, client and role data. realm-cache-enabled.tooltip=Enable/disable cache for realm, client and role data.
user-cache-enabled=User Cache Enabled user-cache-enabled=User Cache Enabled
user-cache-enabled.tooltip=Enable/disable user and user role mapping cache. user-cache-enabled.tooltip=Enable/disable user and user role mapping cache.
revoke-refresh-token=Revoke Refresh Token
revoke-refresh-token.tooltip=If enabled refresh tokens can only be used once. Otherwise refresh tokens are not revoked when used and can be used multiple times.
sso-session-idle=SSO Session Idle sso-session-idle=SSO Session Idle
seconds=Seconds seconds=Seconds
minutes=Minutes minutes=Minutes

View file

@ -3,6 +3,17 @@
<form class="form-horizontal" name="realmForm" novalidate kc-read-only="!access.manageRealm"> <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!access.manageRealm">
<div class="form-group">
<label class="col-md-2 control-label" for="revokeRefreshToken">{{:: 'revoke-refresh-token' | translate}}</label>
<div class="col-md-6">
<input ng-model="realm.revokeRefreshToken" name="revokeRefreshToken" id="revokeRefreshToken" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
</div>
<kc-tooltip>{{:: 'revoke-refresh-token.tooltip' | translate}}
</kc-tooltip>
</div>
<div class="form-group"> <div class="form-group">
<label class="col-md-2 control-label" for="ssoSessionIdleTimeout">{{:: 'sso-session-idle' | translate}}</label> <label class="col-md-2 control-label" for="ssoSessionIdleTimeout">{{:: 'sso-session-idle' | translate}}</label>

View file

@ -91,6 +91,9 @@ public interface RealmModel extends RoleContainerModel {
void setResetPasswordAllowed(boolean resetPasswordAllowed); void setResetPasswordAllowed(boolean resetPasswordAllowed);
boolean isRevokeRefreshToken();
void setRevokeRefreshToken(boolean revokeRefreshToken);
int getSsoSessionIdleTimeout(); int getSsoSessionIdleTimeout();
void setSsoSessionIdleTimeout(int seconds); void setSsoSessionIdleTimeout(int seconds);

View file

@ -39,6 +39,7 @@ public class RealmEntity extends AbstractIdentifiableEntity {
private int failureFactor; private int failureFactor;
//--- end brute force settings //--- end brute force settings
private boolean revokeRefreshToken;
private int ssoSessionIdleTimeout; private int ssoSessionIdleTimeout;
private int ssoSessionMaxLifespan; private int ssoSessionMaxLifespan;
private int accessTokenLifespan; private int accessTokenLifespan;
@ -229,6 +230,14 @@ public class RealmEntity extends AbstractIdentifiableEntity {
this.failureFactor = failureFactor; this.failureFactor = failureFactor;
} }
public boolean isRevokeRefreshToken() {
return revokeRefreshToken;
}
public void setRevokeRefreshToken(boolean revokeRefreshToken) {
this.revokeRefreshToken = revokeRefreshToken;
}
public int getSsoSessionIdleTimeout() { public int getSsoSessionIdleTimeout() {
return ssoSessionIdleTimeout; return ssoSessionIdleTimeout;
} }

View file

@ -144,6 +144,7 @@ public class ModelToRepresentation {
rep.setVerifyEmail(realm.isVerifyEmail()); rep.setVerifyEmail(realm.isVerifyEmail());
rep.setResetPasswordAllowed(realm.isResetPasswordAllowed()); rep.setResetPasswordAllowed(realm.isResetPasswordAllowed());
rep.setEditUsernameAllowed(realm.isEditUsernameAllowed()); rep.setEditUsernameAllowed(realm.isEditUsernameAllowed());
rep.setRevokeRefreshToken(realm.isRevokeRefreshToken());
rep.setAccessTokenLifespan(realm.getAccessTokenLifespan()); rep.setAccessTokenLifespan(realm.getAccessTokenLifespan());
rep.setSsoSessionIdleTimeout(realm.getSsoSessionIdleTimeout()); rep.setSsoSessionIdleTimeout(realm.getSsoSessionIdleTimeout());
rep.setSsoSessionMaxLifespan(realm.getSsoSessionMaxLifespan()); rep.setSsoSessionMaxLifespan(realm.getSsoSessionMaxLifespan());

View file

@ -1,9 +1,5 @@
package org.keycloak.models.utils; package org.keycloak.models.utils;
import org.keycloak.models.session.PersistentClientSessionModel;
import org.keycloak.models.session.PersistentUserSessionModel;
import org.keycloak.representations.idm.OfflineClientSessionRepresentation;
import org.keycloak.representations.idm.OfflineUserSessionRepresentation;
import org.keycloak.util.Base64; import org.keycloak.util.Base64;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.keycloak.enums.SslRequired; import org.keycloak.enums.SslRequired;
@ -100,6 +96,9 @@ public class RepresentationToModel {
if (rep.getNotBefore() != null) newRealm.setNotBefore(rep.getNotBefore()); if (rep.getNotBefore() != null) newRealm.setNotBefore(rep.getNotBefore());
if (rep.getRevokeRefreshToken() != null) newRealm.setRevokeRefreshToken(rep.getRevokeRefreshToken());
else newRealm.setRevokeRefreshToken(false);
if (rep.getAccessTokenLifespan() != null) newRealm.setAccessTokenLifespan(rep.getAccessTokenLifespan()); if (rep.getAccessTokenLifespan() != null) newRealm.setAccessTokenLifespan(rep.getAccessTokenLifespan());
else newRealm.setAccessTokenLifespan(300); else newRealm.setAccessTokenLifespan(300);
@ -532,6 +531,7 @@ public class RepresentationToModel {
if (rep.getAccessCodeLifespanUserAction() != null) realm.setAccessCodeLifespanUserAction(rep.getAccessCodeLifespanUserAction()); if (rep.getAccessCodeLifespanUserAction() != null) realm.setAccessCodeLifespanUserAction(rep.getAccessCodeLifespanUserAction());
if (rep.getAccessCodeLifespanLogin() != null) realm.setAccessCodeLifespanLogin(rep.getAccessCodeLifespanLogin()); if (rep.getAccessCodeLifespanLogin() != null) realm.setAccessCodeLifespanLogin(rep.getAccessCodeLifespanLogin());
if (rep.getNotBefore() != null) realm.setNotBefore(rep.getNotBefore()); if (rep.getNotBefore() != null) realm.setNotBefore(rep.getNotBefore());
if (rep.getRevokeRefreshToken() != null) realm.setRevokeRefreshToken(rep.getRevokeRefreshToken());
if (rep.getAccessTokenLifespan() != null) realm.setAccessTokenLifespan(rep.getAccessTokenLifespan()); if (rep.getAccessTokenLifespan() != null) realm.setAccessTokenLifespan(rep.getAccessTokenLifespan());
if (rep.getSsoSessionIdleTimeout() != null) realm.setSsoSessionIdleTimeout(rep.getSsoSessionIdleTimeout()); if (rep.getSsoSessionIdleTimeout() != null) realm.setSsoSessionIdleTimeout(rep.getSsoSessionIdleTimeout());
if (rep.getSsoSessionMaxLifespan() != null) realm.setSsoSessionMaxLifespan(rep.getSsoSessionMaxLifespan()); if (rep.getSsoSessionMaxLifespan() != null) realm.setSsoSessionMaxLifespan(rep.getSsoSessionMaxLifespan());

View file

@ -325,6 +325,16 @@ public class RealmAdapter implements RealmModel {
} }
@Override
public boolean isRevokeRefreshToken() {
return realm.isRevokeRefreshToken();
}
@Override
public void setRevokeRefreshToken(boolean revokeRefreshToken) {
realm.setRevokeRefreshToken(revokeRefreshToken);
}
@Override @Override
public int getSsoSessionIdleTimeout() { public int getSsoSessionIdleTimeout() {
return realm.getSsoSessionIdleTimeout(); return realm.getSsoSessionIdleTimeout();

View file

@ -239,6 +239,18 @@ public class RealmAdapter implements RealmModel {
updated.setEditUsernameAllowed(editUsernameAllowed); updated.setEditUsernameAllowed(editUsernameAllowed);
} }
@Override
public boolean isRevokeRefreshToken() {
if (updated != null) return updated.isRevokeRefreshToken();
return cached.isRevokeRefreshToken();
}
@Override
public void setRevokeRefreshToken(boolean revokeRefreshToken) {
getDelegateForUpdate();
updated.setRevokeRefreshToken(revokeRefreshToken);
}
@Override @Override
public int getSsoSessionIdleTimeout() { public int getSsoSessionIdleTimeout() {
if (updated != null) return updated.getSsoSessionIdleTimeout(); if (updated != null) return updated.getSsoSessionIdleTimeout();

View file

@ -55,6 +55,7 @@ public class CachedRealm implements Serializable {
private int failureFactor; private int failureFactor;
//--- end brute force settings //--- end brute force settings
private boolean revokeRefreshToken;
private int ssoSessionIdleTimeout; private int ssoSessionIdleTimeout;
private int ssoSessionMaxLifespan; private int ssoSessionMaxLifespan;
private int accessTokenLifespan; private int accessTokenLifespan;
@ -136,6 +137,7 @@ public class CachedRealm implements Serializable {
failureFactor = model.getFailureFactor(); failureFactor = model.getFailureFactor();
//--- end brute force settings //--- end brute force settings
revokeRefreshToken = model.isRevokeRefreshToken();
ssoSessionIdleTimeout = model.getSsoSessionIdleTimeout(); ssoSessionIdleTimeout = model.getSsoSessionIdleTimeout();
ssoSessionMaxLifespan = model.getSsoSessionMaxLifespan(); ssoSessionMaxLifespan = model.getSsoSessionMaxLifespan();
accessTokenLifespan = model.getAccessTokenLifespan(); accessTokenLifespan = model.getAccessTokenLifespan();
@ -313,6 +315,10 @@ public class CachedRealm implements Serializable {
return editUsernameAllowed; return editUsernameAllowed;
} }
public boolean isRevokeRefreshToken() {
return revokeRefreshToken;
}
public int getSsoSessionIdleTimeout() { public int getSsoSessionIdleTimeout() {
return ssoSessionIdleTimeout; return ssoSessionIdleTimeout;
} }

View file

@ -336,6 +336,16 @@ public class RealmAdapter implements RealmModel {
realm.setNotBefore(notBefore); realm.setNotBefore(notBefore);
} }
@Override
public boolean isRevokeRefreshToken() {
return realm.isRevokeRefreshToken();
}
@Override
public void setRevokeRefreshToken(boolean revokeRefreshToken) {
realm.setRevokeRefreshToken(revokeRefreshToken);
}
@Override @Override
public int getAccessTokenLifespan() { public int getAccessTokenLifespan() {
return realm.getAccessTokenLifespan(); return realm.getAccessTokenLifespan();

View file

@ -76,6 +76,8 @@ public class RealmEntity {
@Column(name="EDIT_USERNAME_ALLOWED") @Column(name="EDIT_USERNAME_ALLOWED")
protected boolean editUsernameAllowed; protected boolean editUsernameAllowed;
@Column(name="REVOKE_REFRESH_TOKEN")
private boolean revokeRefreshToken;
@Column(name="SSO_IDLE_TIMEOUT") @Column(name="SSO_IDLE_TIMEOUT")
private int ssoSessionIdleTimeout; private int ssoSessionIdleTimeout;
@Column(name="SSO_MAX_LIFESPAN") @Column(name="SSO_MAX_LIFESPAN")
@ -288,6 +290,14 @@ public class RealmEntity {
this.editUsernameAllowed = editUsernameAllowed; this.editUsernameAllowed = editUsernameAllowed;
} }
public boolean isRevokeRefreshToken() {
return revokeRefreshToken;
}
public void setRevokeRefreshToken(boolean revokeRefreshToken) {
this.revokeRefreshToken = revokeRefreshToken;
}
public int getSsoSessionIdleTimeout() { public int getSsoSessionIdleTimeout() {
return ssoSessionIdleTimeout; return ssoSessionIdleTimeout;
} }

View file

@ -311,6 +311,16 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
updateRealm(); updateRealm();
} }
@Override
public boolean isRevokeRefreshToken() {
return realm.isRevokeRefreshToken();
}
@Override
public void setRevokeRefreshToken(boolean revokeRefreshToken) {
realm.setRevokeRefreshToken(revokeRefreshToken);
updateRealm();
}
@Override @Override
public int getSsoSessionIdleTimeout() { public int getSsoSessionIdleTimeout() {

View file

@ -161,6 +161,15 @@ public class TokenManager {
} }
int currentTime = Time.currentTime(); int currentTime = Time.currentTime();
if (realm.isRevokeRefreshToken() && !refreshToken.getType().equals(TokenUtil.TOKEN_TYPE_OFFLINE)) {
if (refreshToken.getIssuedAt() < validation.clientSession.getTimestamp()) {
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token");
}
validation.clientSession.setTimestamp(currentTime);
}
validation.userSession.setLastSessionRefresh(currentTime); validation.userSession.setLastSessionRefresh(currentTime);
AccessTokenResponseBuilder responseBuilder = responseBuilder(realm, authorizedClient, event, session, validation.userSession, validation.clientSession) AccessTokenResponseBuilder responseBuilder = responseBuilder(realm, authorizedClient, event, session, validation.userSession, validation.clientSession)

View file

@ -30,6 +30,7 @@ import org.keycloak.enums.SslRequired;
import org.keycloak.events.Details; import org.keycloak.events.Details;
import org.keycloak.events.Errors; import org.keycloak.events.Errors;
import org.keycloak.events.Event; import org.keycloak.events.Event;
import org.keycloak.events.EventType;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel; import org.keycloak.models.UserSessionModel;
@ -181,6 +182,93 @@ public class RefreshTokenTest {
Time.setOffset(0); Time.setOffset(0);
} }
@Test
public void refreshTokenReuseTokenWithoutRefreshTokensRevoked() throws Exception {
try {
oauth.doLogin("test-user@localhost", "password");
Event loginEvent = events.expectLogin().assertEvent();
String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
AccessTokenResponse response1 = oauth.doAccessTokenRequest(code, "password");
RefreshToken refreshToken1 = oauth.verifyRefreshToken(response1.getRefreshToken());
events.expectCodeToToken(codeId, sessionId).assertEvent();
Time.setOffset(2);
AccessTokenResponse response2 = oauth.doRefreshTokenRequest(response1.getRefreshToken(), "password");
Assert.assertEquals(200, response2.getStatusCode());
events.expectRefresh(refreshToken1.getId(), sessionId).assertEvent();
AccessTokenResponse response3 = oauth.doRefreshTokenRequest(response1.getRefreshToken(), "password");
Assert.assertEquals(200, response3.getStatusCode());
events.expectRefresh(refreshToken1.getId(), sessionId).assertEvent();
} finally {
Time.setOffset(0);
}
}
@Test
public void refreshTokenReuseTokenWithRefreshTokensRevoked() throws Exception {
try {
keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
@Override
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
appRealm.setRevokeRefreshToken(true);
}
});
oauth.doLogin("test-user@localhost", "password");
Event loginEvent = events.expectLogin().assertEvent();
String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
AccessTokenResponse response1 = oauth.doAccessTokenRequest(code, "password");
RefreshToken refreshToken1 = oauth.verifyRefreshToken(response1.getRefreshToken());
events.expectCodeToToken(codeId, sessionId).assertEvent();
Time.setOffset(2);
AccessTokenResponse response2 = oauth.doRefreshTokenRequest(response1.getRefreshToken(), "password");
RefreshToken refreshToken2 = oauth.verifyRefreshToken(response2.getRefreshToken());
Assert.assertEquals(200, response2.getStatusCode());
events.expectRefresh(refreshToken1.getId(), sessionId).assertEvent();
AccessTokenResponse response3 = oauth.doRefreshTokenRequest(response1.getRefreshToken(), "password");
Assert.assertEquals(400, response3.getStatusCode());
events.expectRefresh(refreshToken1.getId(), sessionId).removeDetail(Details.TOKEN_ID).removeDetail(Details.UPDATED_REFRESH_TOKEN_ID).error("invalid_token").assertEvent();
oauth.doRefreshTokenRequest(response2.getRefreshToken(), "password");
events.expectRefresh(refreshToken2.getId(), sessionId).assertEvent();
} finally {
Time.setOffset(0);
keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
@Override
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
appRealm.setRevokeRefreshToken(false);
}
});
}
}
PrivateKey privateKey; PrivateKey privateKey;
PublicKey publicKey; PublicKey publicKey;