Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not remove previous refresh token for federated identity #29109

Merged
merged 2 commits into from Apr 30, 2024
Merged

Do not remove previous refresh token for federated identity #29109

merged 2 commits into from Apr 30, 2024

Conversation

sguilhen
Copy link
Contributor

Closes #25815

@sguilhen sguilhen requested a review from a team as a code owner April 26, 2024 13:28
pedroigor
pedroigor reviewed Apr 26, 2024
View reviewed changes
services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java Outdated
// like in OIDCIdentityProvider.exchangeStoredToken()
// we shouldn't override the refresh token if it is null in the context and not null in the DB
// as for google IDP it will be lost forever
if (federatedIdentityModel.getToken() != null && !(context.getIdp() instanceof SAMLIdentityProvider)) {
Copy link
Contributor

@pedroigor pedroigor Apr 26, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is better/safer if we check if the idp is a ExchangeTokenToIdentityProviderToken. It will catch both OIDC and OAuth based brokers while at the same time excluding SAML as we don't support internal to external token exchanges for SAML.

This was referenced Apr 26, 2024
Open
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@sguilhen sguilhen force-pushed the 25815-fed-identity-refresh-token branch 2 times, most recently from b80d1f1 to 76f6d22 Compare April 26, 2024 16:29
@keycloak-github-bot keycloak-github-bot bot mentioned this pull request Apr 26, 2024
Open
@sguilhen sguilhen changed the title 25815 Do not remove previous refresh token for federated identity Do not remove previous refresh token for federated identity Apr 29, 2024
@geoffreyfourmis @sguilhen
25815 do not remove previous refresh token for federated identity
ee4b1cc 
Signed-off-by: Geoffrey Fourmis <geoffrey.fourmis@gmail.com>
@sguilhen sguilhen force-pushed the 25815-fed-identity-refresh-token branch from 76f6d22 to 13b77fc Compare April 30, 2024 04:37
@sguilhen sguilhen requested review from a team as code owners April 30, 2024 04:37
@sguilhen sguilhen force-pushed the 25815-fed-identity-refresh-token branch 2 times, most recently from 407be02 to e3229dc Compare April 30, 2024 11:58
@sguilhen
Add check to prevent deserialization issues when the context token is…
8278d8f 
… not an AccessTokenResponse.

- also adds a test for the refresh token on first login scenario.

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
@sguilhen sguilhen force-pushed the 25815-fed-identity-refresh-token branch from e3229dc to 8278d8f Compare April 30, 2024 13:09
@keycloak-github-bot keycloak-github-bot bot mentioned this pull request Apr 30, 2024
Open
@keycloak-github-bot keycloak-github-bot bot mentioned this pull request Apr 30, 2024
Open
keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Apr 30, 2024
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithIntermediateRevocationListFromHttp

Keycloak CI - FIPS IT (strict)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:307)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

@pedroigor pedroigor merged commit 02e2ebf into keycloak:main Apr 30, 2024
70 checks passed
@sguilhen sguilhen mentioned this pull request Apr 30, 2024
Closed
@sguilhen sguilhen deleted the 25815-fed-identity-refresh-token branch May 7, 2024 20:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot left review comments

@pedroigor pedroigor pedroigor approved these changes

Assignees
No one assigned
Labels
flaky-test team/cloud-native team/core-clients team/core-iam
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Loosing refresh token with Google Identity Provider
3 participants
@sguilhen @pedroigor @geoffreyfourmis