Correct error during refresh token flow without offline_access in sco…

…pe parameter
eosc-kc · Aug 30, 2023 · d1f4bf0 · d1f4bf0
1 parent a9f9834
commit d1f4bf0
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,10 @@ Full Keycloak upstream jira issue can be shown if filtered by Fix version.
 
 Our Keycloak version is working well with PostgreSQL database. For using other SQL databases, text field in database need to be evaluated.
 
+## [Unreleased]
+### Fixed
+- Fix refresh flow with scope parameter problem[EGI dev oidc client refresh flow not allowed](https://trello.com/c/rwDjqUF0/2076-egi-dev-oidc-client-refresh-flow-not-allowed)
+
 ## [18.0.1-2.15] - 2023-23-08
 
 ### Fixed

diff --git a/pom.xml b/pom.xml
@@ -42,7 +42,7 @@
         <jboss.snapshots.repo.url>https://s01.oss.sonatype.org/content/repositories/snapshots/</jboss.snapshots.repo.url>
 
         <quarkus.version>2.7.5.Final</quarkus.version>
-        <eosc-kc.version>${project.version}-2.15</eosc-kc.version>
+        <eosc-kc.version>${project.version}-2.16rc1</eosc-kc.version>
 
         <!--
         Performing a Wildfly upgrade? Run the:

diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
@@ -422,7 +422,7 @@ public RefreshResult refreshAccessToken(KeycloakSession session, UriInfo uriInfo
 
         if (generateRefreshToken) {
             //refresh token must have same scope as old refresh token (type, scope, expiration)
-            responseBuilder.generateRefreshToken(refreshToken.getScope());
+            responseBuilder.generateRefreshToken(refreshToken.getScope(), clientSession);
         }
 
         if (validation.newToken.getAuthorization() != null
@@ -1159,12 +1159,14 @@ public AccessTokenResponseBuilder generateRefreshToken() {
             return this;
         }
 
-        public AccessTokenResponseBuilder generateRefreshToken(String scope) {
+        public AccessTokenResponseBuilder generateRefreshToken(String scope, AuthenticatedClientSessionModel clientSession) {
             if (accessToken == null) {
                 throw new IllegalStateException("accessToken not set");
             }
 
             boolean offlineTokenRequested = Arrays.asList(scope.split(" ")).contains(OAuth2Constants.OFFLINE_ACCESS) ;
+            if (offlineTokenRequested)
+                clientSessionCtx = DefaultClientSessionContext.fromClientSessionAndScopeParameter(clientSession, scope, session);
             generateRefreshToken(offlineTokenRequested);
             refreshToken.setScope(scope);
             return this;