Merge pull request #4480 from TeliaSoneraNorge/KEYCLOAK-5494
Fix introspection error for pairwise access tokens
This commit is contained in:
Marek Posolda
GitHub
commit
fa35249afd
2 changed files with 44 additions and 19 deletions
|
|
@ -203,7 +203,26 @@ public class TokenManager {
|
|||
return false;
|
||||
}
|
||||
|
||||
UserModel user = session.users().getUserById(token.getSubject(), realm);
|
||||
ClientModel client = realm.getClientByClientId(token.getIssuedFor());
|
||||
if (client == null || !client.isEnabled() || token.getIssuedAt() < client.getNotBefore()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
UserSessionModel userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), false, client.getId());
|
||||
if (AuthenticationManager.isSessionValid(realm, userSession)) {
|
||||
return isUserValid(session, realm, token, userSession);
|
||||
}
|
||||
|
||||
userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), true, client.getId());
|
||||
if (AuthenticationManager.isOfflineSessionValid(realm, userSession)) {
|
||||
return isUserValid(session, realm, token, userSession);
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
private boolean isUserValid(KeycloakSession session, RealmModel realm, AccessToken token, UserSessionModel userSession) {
|
||||
UserModel user = userSession.getUser();
|
||||
if (user == null) {
|
||||
return false;
|
||||
}
|
||||
|
|
@ -213,26 +232,10 @@ public class TokenManager {
|
|||
if (token.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
ClientModel client = realm.getClientByClientId(token.getIssuedFor());
|
||||
if (client == null || !client.isEnabled() || token.getIssuedAt() < client.getNotBefore()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
UserSessionModel userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), false, client.getId());
|
||||
if (AuthenticationManager.isSessionValid(realm, userSession)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), true, client.getId());
|
||||
if (AuthenticationManager.isOfflineSessionValid(realm, userSession)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
public RefreshResult refreshAccessToken(KeycloakSession session, UriInfo uriInfo, ClientConnection connection, RealmModel realm, ClientModel authorizedClient,
|
||||
String encodedRefreshToken, EventBuilder event, HttpHeaders headers) throws OAuthErrorException {
|
||||
RefreshToken refreshToken = verifyRefreshToken(session, realm, encodedRefreshToken);
|
||||
|
|
|
|||
|
|
@ -18,9 +18,12 @@
|
|||
package org.keycloak.testsuite.client;
|
||||
|
||||
|
||||
import com.fasterxml.jackson.databind.JsonNode;
|
||||
import com.fasterxml.jackson.databind.ObjectMapper;
|
||||
import org.apache.commons.lang.StringUtils;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.keycloak.OAuth2Constants;
|
||||
import org.keycloak.admin.client.resource.ClientResource;
|
||||
import org.keycloak.admin.client.resource.RealmResource;
|
||||
import org.keycloak.client.registration.Auth;
|
||||
|
|
@ -36,6 +39,7 @@ import org.keycloak.representations.idm.ClientInitialAccessPresentation;
|
|||
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
|
||||
import org.keycloak.representations.idm.UserRepresentation;
|
||||
import org.keycloak.representations.oidc.OIDCClientRepresentation;
|
||||
import org.keycloak.representations.oidc.TokenMetadataRepresentation;
|
||||
import org.keycloak.testsuite.Assert;
|
||||
import org.keycloak.testsuite.admin.ApiUtil;
|
||||
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
|
||||
|
|
@ -44,9 +48,11 @@ import org.keycloak.testsuite.util.ClientManager;
|
|||
import org.keycloak.testsuite.util.OAuthClient;
|
||||
import org.keycloak.testsuite.util.UserInfoClientUtil;
|
||||
import org.keycloak.testsuite.util.UserManager;
|
||||
import org.keycloak.util.JsonSerialization;
|
||||
|
||||
import javax.ws.rs.client.Client;
|
||||
import javax.ws.rs.core.Response;
|
||||
import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Base64;
|
||||
import java.util.Collections;
|
||||
|
|
@ -407,6 +413,22 @@ public class OIDCPairwiseClientRegistrationTest extends AbstractClientRegistrati
|
|||
Assert.assertEquals(idToken.getIssuedFor(), refreshedIdToken.getIssuedFor());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void introspectPairwiseAccessToken() throws Exception {
|
||||
// Create a pairwise client
|
||||
OIDCClientRepresentation pairwiseClient = createPairwise();
|
||||
|
||||
// Login to pairwise client
|
||||
OAuthClient.AccessTokenResponse accessTokenResponse = login(pairwiseClient, "test-user@localhost", "password");
|
||||
|
||||
String introspectionResponse = oauth.introspectAccessTokenWithClientCredential(pairwiseClient.getClientId(), pairwiseClient.getClientSecret(), accessTokenResponse.getAccessToken());
|
||||
|
||||
ObjectMapper objectMapper = new ObjectMapper();
|
||||
JsonNode jsonNode = objectMapper.readTree(introspectionResponse);
|
||||
Assert.assertEquals(true, jsonNode.get("active").asBoolean());
|
||||
Assert.assertEquals("test-user@localhost", jsonNode.get("email").asText());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void refreshPairwiseTokenDeletedUser() throws Exception {
|
||||
String userId = createUser(REALM_NAME, "delete-me@localhost", "password");
|
||||
|
|
|
|||
Loading…
Reference in a new issue