[KEYCLOAK-7822] - Fix access token and refresh token timeout in resource server

2018-07-11 00:55:26 +08:00 · 2018-07-11 00:55:26 +08:00 · fba2bf0b2f
commit fba2bf0b2f
parent 55550f2023
1 changed files with 27 additions and 1 deletions
--- a/authz/client/src/main/java/org/keycloak/authorization/client/util/TokenCallable.java
+++ b/authz/client/src/main/java/org/keycloak/authorization/client/util/TokenCallable.java
@ -18,15 +18,19 @@ package org.keycloak.authorization.client.util;

 import java.util.concurrent.Callable;

+import org.jboss.logging.Logger;
 import org.keycloak.authorization.client.Configuration;
 import org.keycloak.authorization.client.representation.ServerConfiguration;
+import org.keycloak.common.util.Time;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.representations.AccessToken;
 import org.keycloak.representations.AccessTokenResponse;
+import org.keycloak.representations.RefreshToken;
 import org.keycloak.util.JsonSerialization;

 public class TokenCallable implements Callable<String> {

+    private static Logger log = Logger.getLogger(TokenCallable.class);
    private final String userName;
    private final String password;
    private final Http http;
@ -54,6 +58,22 @@ public class TokenCallable implements Callable<String> {
            } else {
                clientToken = obtainAccessToken(userName, password);
            }
+        } else {
+            String refreshTokenValue = clientToken.getRefreshToken();
+            try {
+                RefreshToken refreshToken = JsonSerialization.readValue(new JWSInput(refreshTokenValue).getContent(), RefreshToken.class);
+                if (!refreshToken.isActive() || !isTokenTimeToLiveSufficient(refreshToken)) {
+                    log.debug("Refresh token is expired.");
+                    if (userName == null || password == null) {
+                        clientToken = obtainAccessToken();
+                    } else {
+                        clientToken = obtainAccessToken(userName, password);
+                    }
+                }
+            } catch (Exception e) {
+                clientToken = null;
+                throw new RuntimeException(e);
+            }
        }

        String token = clientToken.getToken();
@ -61,8 +81,10 @@ public class TokenCallable implements Callable<String> {
        try {
            AccessToken accessToken = JsonSerialization.readValue(new JWSInput(token).getContent(), AccessToken.class);

-            if (accessToken.isActive()) {
+            if (accessToken.isActive() && this.isTokenTimeToLiveSufficient(accessToken)) {
                return token;
+            } else {
+                log.debug("Access token is expired.");
            }

            clientToken = http.<AccessTokenResponse>post(serverConfiguration.getTokenEndpoint())
@ -81,6 +103,10 @@ public class TokenCallable implements Callable<String> {
        return clientToken.getToken();
    }

+    public boolean isTokenTimeToLiveSufficient(AccessToken token) {
+        return token != null && (token.getExpiration() - getConfiguration().getTokenMinimumTimeToLive()) > Time.currentTime();
+    }
+
    /**
     * Obtains an access token using the client credentials.
     *