-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#25815 do not remove previous refresh token for federated identity #27455
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Please, sign-off the commit and,.hopefully, that is it.
@geoffreyfourmis Better is if you squash the commits and sign-off a single commit. |
sorry not used to do that, I squashed both commit into one but it seems to be still there, looking at it right now... |
ok, should be good this time |
services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Geoffrey Fourmis <geoffrey.fourmis@gmail.com>
// like in OIDCIdentityProvider.exchangeStoredToken() | ||
// we shouldn't override the refresh token if it is null in the context and not null in the DB | ||
// as for google IDP it will be lost forever | ||
if (federatedIdentityModel.getToken() != null) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tests are failing because when the IDP is a SAML IDP, the response can't be read into an OAuth AccessTokenResponse
.
Changing this line to
if (federatedIdentityModel.getToken() != null && !(context.getIdp() instanceof SAMLIdentityProvider)) {
Fixed the test failures for me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, I'm not sure this works with the Twitter provider because it sets some sort of a custom token in the broker context https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java#L235-L244
I don't think this can be read into an AccessTokenResponse
.
Closing in favor of #29109 which adds tests to the PR. |
Closes #25815
Like what is done in
OIDCIdentityProvider.exchangeStoredToken()
we shouldn't remove previous refresh token inside federated identity token while updating the token insideIdentityBrokerService.updateToken()
.