Check offline scope is still assigned when performing a refresh #43745
Conversation
ahus1
left a comment
There was a problem hiding this comment.
Thank you for the PR. See some review notes below.
Could you please add also a check for the token introspection so that an access token for an offline session is considered invalid if the offline scope doesn't exist any more? Thanks!
| if (oldTokenScope != null && parseScopeParameter(oldTokenScope).anyMatch(s -> OAuth2Constants.OFFLINE_ACCESS.equals(s)) | ||
| && clientSessionCtx.getClientScopesStream().noneMatch(s -> OAuth2Constants.OFFLINE_ACCESS.equals(s.getName()))) { | ||
| // offline access needed but scope is not allowed | ||
| throw new OAuthErrorException(OAuthErrorException.INVALID_SCOPE, "Invalid scope: " + OAuth2Constants.OFFLINE_ACCESS); | ||
| } |
There was a problem hiding this comment.
I see that even for lightweight tokens the scope is always present, so I assume there is never the case of oldTokenScope being null.
I was briefly wondering if there would be the the need to handle any other removed scope. When trying this out, I found that any removed scope is then removed on the next token refresh, which is IMHO graceful enough and sufficient.
There was a problem hiding this comment.
The normal scopes are filtered when calculating the scopes in the DefaultClientSessionContext. The requested scopes are limited to ones the client has (without dynamic scopes here). So, the refresh is allowed but with less scopes (the removed ones are not added, it's the same for the user). So I think that part is OK, the response is just limited to the scopes that are still assigned. I would not change this behavior.
For offline_access is a bit different, because the offline session is not valid anymore for this client. Returning an error makes sense IMO. The problem was that we were never checking this. The session was offline, inherited by the new refresh and nothing checked the scope was not present anymore.
I'm going to remove the oldTokenScope != null. I think that you are right, it will be empty string in the worst case.
There was a problem hiding this comment.
Done! Let's see the tests...
There was a problem hiding this comment.
Sorry! I didn't read the check about introspection. Doing it right now.
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest#updateLDAPUsernameTest |
|
@rmartinc - did you see my comment above, and what's your take on this?
|
|
@ahus1 @graziang I have changed this a bit. I created a utility method in |
Closes keycloak#43734 Signed-off-by: rmartinc <[email protected]>
|
If you think that it's OK please re-run the failed CI. It should be unrelated. |
ahus1
left a comment
There was a problem hiding this comment.
Thank you for this change!
|
@rmartinc - let me know if I should merge this one, or if anyone else from your team should review it. |
|
@graziang already approved, so I think we are OK to merge it. I'll prepare the backports later. |
Closes #43734
PR to check if
offline_accessis still allowed when doing a refresh token. The PR just returns the error and maintains the session (it follows the same behavior that is used for all the other similar exceptions). If you think The PR should remove the session or similar just let me know. Test added.