Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Revoked token cache expiration fix #27625

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mposolda merged 1 commit into from
Mar 7, 2024
Merged

Revoked token cache expiration fix #27625

mposolda merged 1 commit into from
Mar 7, 2024

Conversation

@graziang
Copy link
Contributor

@graziang graziang commented Mar 6, 2024

Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token.

Closes #26113

@graziang graziang requested review from a team as code owners March 6, 2024 17:14
@graziang
Copy link
Contributor Author

graziang commented Mar 6, 2024

@mposolda for the test I used a Thread.sleep() of 10 seconds (minimum cache time for revoked tokes) cause the setTimeOffset() cannot be used as infinispan seems to use a different timeservice without thus applying the offset. Do you have any suggestions to avoid using sleep?

@mposolda
Copy link
Contributor

mposolda commented Mar 7, 2024

@mposolda for the test I used a Thread.sleep() of 10 seconds (minimum cache time for revoked tokes) cause the setTimeOffset() cannot be used as infinispan seems to use a different timeservice without thus applying the offset. Do you have any suggestions to avoid using sleep?

@graziang Nice! Yes, there is InfinispanTestTimeServiceRule . For the reference, you can see some classes like for instance LoginTest where this is used (also you can see TestingResourceProvider.setTestingInfinispanTimeService to check how it works on Keycloak server side).

@mposolda mposolda self-assigned this Mar 7, 2024
@graziang
Revoked token cache expiration fix
647ab59 
Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token.

Closes keycloak#26113

Signed-off-by: graziang <[email protected]>
@graziang
Copy link
Contributor Author

graziang commented Mar 7, 2024

@mposolda for the test I used a Thread.sleep() of 10 seconds (minimum cache time for revoked tokes) cause the setTimeOffset() cannot be used as infinispan seems to use a different timeservice without thus applying the offset. Do you have any suggestions to avoid using sleep?

@graziang Nice! Yes, there is InfinispanTestTimeServiceRule . For the reference, you can see some classes like for instance LoginTest where this is used (also you can see TestingResourceProvider.setTestingInfinispanTimeService to check how it works on Keycloak server side).

Great thanks, good to know. I updated the test using the rule, I see that you can also use getTestingClient().testing().setTestingInfinispanTimeService() directly for the single test but it may be useful to have the same infinispan timeservice for all tests in TokenRevocationTest

@mposolda
Copy link
Contributor

mposolda commented Mar 7, 2024

@graziang Yes, exactly. I was also thinking about the option to have the "custom infinispan time service" always integrated with Keycloak Time when running Keycloak server in our testsuite. This would mean that this InfinispanTestTimeServiceRule and other related things won't be needed at all. But that is probably for discussion with wider team (I am not sure about all the side-effects of this...)

@mposolda mposolda merged commit 54b40d3 into keycloak:main Mar 7, 2024
This was referenced Jun 19, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mposolda mposolda mposolda approved these changes

Assignees

@mposolda mposolda

Labels

team/cloud-native team/core-clients team/core-iam

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Revoked Token may be valid for a short time after expiring

2 participants

@graziang @mposolda