From c5d158226b1a91372712b5f178eb5c1ac50207db Mon Sep 17 00:00:00 2001 From: Sebastian Daschner Date: Thu, 23 Jul 2020 08:47:16 +0200 Subject: [PATCH] fixed lost OIDC refresh token when performing a refresh --- .../runtime/CodeAuthenticationMechanism.java | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java index ffa6358f851db..ba91c1dd8e412 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java @@ -303,7 +303,8 @@ public void accept(SecurityIdentity identity) { LOG.debug("ID Token is required to contain 'exp' and 'iat' claims"); uniEmitter.fail(new AuthenticationCompletionException()); } - processSuccessfulAuthentication(context, configContext, result, identity); + processSuccessfulAuthentication(context, configContext, result, + result.opaqueRefreshToken(), identity); if (configContext.oidcConfig.authentication.isRemoveRedirectParameters() && context.request().query() != null) { @@ -348,15 +349,12 @@ private String signJwtWithClientSecret(OidcTenantConfig cfg) { } private void processSuccessfulAuthentication(RoutingContext context, TenantConfigContext configContext, - AccessToken result, SecurityIdentity securityIdentity) { - + AccessToken result, String refreshToken, SecurityIdentity securityIdentity) { removeCookie(context, configContext, getSessionCookieName(configContext)); - String cookieValue = new StringBuilder(result.opaqueIdToken()) - .append(COOKIE_DELIM) - .append(result.opaqueAccessToken()) - .append(COOKIE_DELIM) - .append(result.opaqueRefreshToken()).toString(); + String cookieValue = result.opaqueIdToken() + COOKIE_DELIM + + result.opaqueAccessToken() + COOKIE_DELIM + + refreshToken; long maxAge = result.idToken().getLong("exp") - result.idToken().getLong("iat"); if (configContext.oidcConfig.token.lifespanGrace.isPresent()) { @@ -470,8 +468,12 @@ public void handle(AsyncResult result) { .subscribe().with(new Consumer() { @Override public void accept(SecurityIdentity identity) { - // after a successful refresh, rebuild the identity and update the cookie - processSuccessfulAuthentication(context, configContext, token, + // the refresh token might not have been send in the response again + String refresh = token.opaqueRefreshToken() != null + ? token.opaqueRefreshToken() + : refreshToken; + // after a successful refresh, rebuild the identity and update the cookie + processSuccessfulAuthentication(context, configContext, token, refresh, identity); // update the token so that blocking threads get the latest one emitter.complete(