diff --git a/model/map/src/main/java/org/keycloak/models/map/authorization/MapPermissionTicketStore.java b/model/map/src/main/java/org/keycloak/models/map/authorization/MapPermissionTicketStore.java index a50878aca5..24c2d2fc62 100644 --- a/model/map/src/main/java/org/keycloak/models/map/authorization/MapPermissionTicketStore.java +++ b/model/map/src/main/java/org/keycloak/models/map/authorization/MapPermissionTicketStore.java @@ -19,6 +19,7 @@ package org.keycloak.models.map.authorization; import org.jboss.logging.Logger; import org.keycloak.authorization.AuthorizationProvider; +import org.keycloak.authorization.UserManagedPermissionUtil; import org.keycloak.authorization.model.PermissionTicket; import org.keycloak.authorization.model.PermissionTicket.SearchableFields; import org.keycloak.authorization.model.Resource; @@ -129,7 +130,12 @@ public class MapPermissionTicketStore implements PermissionTicketStore { @Override public void delete(String id) { LOG.tracef("delete(%s)%s", id, getShortStackTrace()); + + PermissionTicket permissionTicket = findById(id, null); + if (permissionTicket == null) return; + tx.delete(id); + UserManagedPermissionUtil.removePolicy(permissionTicket, authorizationProvider.getStoreFactory()); } @Override diff --git a/model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapResourceAdapter.java b/model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapResourceAdapter.java index 1a2db083a9..b0768a1fcb 100644 --- a/model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapResourceAdapter.java +++ b/model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapResourceAdapter.java @@ -17,7 +17,10 @@ package org.keycloak.models.map.authorization.adapter; +import org.keycloak.authorization.model.PermissionTicket; import org.keycloak.authorization.model.Scope; +import org.keycloak.authorization.store.PermissionTicketStore; +import org.keycloak.authorization.store.PolicyStore; import org.keycloak.authorization.store.StoreFactory; import org.keycloak.models.map.authorization.entity.MapResourceEntity; @@ -129,6 +132,25 @@ public class MapResourceAdapter extends AbstractResourceModel @Override public void updateScopes(Set scopes) { throwExceptionIfReadonly(); + + PermissionTicketStore permissionStore = storeFactory.getPermissionTicketStore(); + PolicyStore policyStore = storeFactory.getPolicyStore(); + + for (Scope scope : getScopes()) { + if (!scopes.contains(scope)) { + // The scope^ was removed from the Resource + + // Remove permission tickets based on the scope + List permissions = permissionStore.findByScope(scope.getId(), getResourceServer()); + for (PermissionTicket permission : permissions) { + permissionStore.delete(permission.getId()); + } + + // Remove the scope from each Policy for this Resource + policyStore.findByResource(getId(), getResourceServer(), policy -> policy.removeScope(scope)); + } + } + entity.setScopeIds(scopes.stream().map(Scope::getId).collect(Collectors.toSet())); } diff --git a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java index abffcf4d43..c1834665dc 100644 --- a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java +++ b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java @@ -494,15 +494,14 @@ public class AuthorizationTokenService { } } - resolvePreviousGrantedPermissions(ticket, request, resourceServer, permissionsToEvaluate, resourceStore, scopeStore, limit); + resolvePreviousGrantedPermissions(request, resourceServer, permissionsToEvaluate, resourceStore, scopeStore, limit); return permissionsToEvaluate.values(); } - private void resolvePreviousGrantedPermissions(PermissionTicketToken ticket, - KeycloakAuthorizationRequest request, ResourceServer resourceServer, - Map permissionsToEvaluate, ResourceStore resourceStore, ScopeStore scopeStore, - AtomicInteger limit) { + private void resolvePreviousGrantedPermissions(KeycloakAuthorizationRequest request, ResourceServer resourceServer, + Map permissionsToEvaluate, ResourceStore resourceStore, ScopeStore scopeStore, + AtomicInteger limit) { AccessToken rpt = request.getRpt(); if (rpt != null && rpt.isActive()) { @@ -517,7 +516,7 @@ public class AuthorizationTokenService { break; } - Resource resource = resourceStore.findById(grantedPermission.getResourceId(), ticket.getIssuedFor()); + Resource resource = resourceStore.findById(grantedPermission.getResourceId(), resourceServer.getId()); if (resource != null) { ResourcePermission permission = permissionsToEvaluate.get(resource.getId()); diff --git a/testsuite/integration-arquillian/tests/base/pom.xml b/testsuite/integration-arquillian/tests/base/pom.xml index 7e2aa716e4..bba2f1a0cd 100644 --- a/testsuite/integration-arquillian/tests/base/pom.xml +++ b/testsuite/integration-arquillian/tests/base/pom.xml @@ -1134,6 +1134,7 @@ map map map + false diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json b/testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json index 4e71734cbd..f4cd15bd1b 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/META-INF/keycloak-server.json @@ -167,6 +167,12 @@ } }, + "authorizationCache": { + "default": { + "enabled": "${keycloak.authorizationCache.enabled:true}" + } + }, + "userCache": { "provider": "${keycloak.user.cache.provider:default}", "default" : {