From ecce0fe9e0b792ed48f2d9c2c0abd3746c7c4410 Mon Sep 17 00:00:00 2001
From: Prarthona Paul <prpaul@redhat.com>
Date: Mon, 22 Jul 2024 12:11:48 -0400
Subject: [PATCH] ELY-2789 OIDCSecurityContext deserialization issue

---
 .../http/oidc/OidcSecurityContext.java        |  4 +--
 .../security/http/oidc/BearerTest.java        | 33 +++++++++++++++++++
 2 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcSecurityContext.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcSecurityContext.java
index 5556f311967..c539a2e6224 100644
--- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcSecurityContext.java
+++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcSecurityContext.java
@@ -76,8 +76,8 @@ public String getRealm() {
     private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
         in.defaultReadObject();
         try {
-            token = new AccessToken(new JwtConsumerBuilder().setSkipSignatureVerification().setSkipAllValidators().build().processToClaims(tokenString));
-            idToken = new IDToken(new JwtConsumerBuilder().setSkipSignatureVerification().setSkipAllValidators().build().processToClaims(idTokenString));
+            token = tokenString == null ? null : new AccessToken(new JwtConsumerBuilder().setSkipSignatureVerification().setSkipAllValidators().build().processToClaims(tokenString));
+            idToken = idTokenString == null ? null : new IDToken(new JwtConsumerBuilder().setSkipSignatureVerification().setSkipAllValidators().build().processToClaims(idTokenString));
         } catch (InvalidJwtException e) {
             throw log.unableToParseToken();
         }
diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/BearerTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/BearerTest.java
index 18c4b2f087d..275c9b181ac 100644
--- a/http/oidc/src/test/java/org/wildfly/security/http/oidc/BearerTest.java
+++ b/http/oidc/src/test/java/org/wildfly/security/http/oidc/BearerTest.java
@@ -27,7 +27,10 @@
 import static org.wildfly.security.http.oidc.Oidc.OIDC_NAME;
 
 import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
 import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import java.util.Collections;
@@ -36,6 +39,7 @@
 import java.util.Map;
 
 import org.apache.http.HttpStatus;
+import org.jose4j.jwt.consumer.JwtConsumerBuilder;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
@@ -146,6 +150,35 @@ public static void generalCleanup() throws Exception {
         }
     }
 
+    @Test
+    public void testOIDCSecurityContextDeserialization() throws Exception {
+        String accessTokenString = KeycloakConfiguration.getAccessToken(KEYCLOAK_CONTAINER.getAuthServerUrl(), TEST_REALM, KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD, CLIENT_ID, CLIENT_SECRET);
+        AccessToken accessToken = new AccessToken(new JwtConsumerBuilder().setSkipSignatureVerification().setSkipAllValidators().build().processToClaims(accessTokenString));
+        OidcSecurityContext oidcSecurityContext = new OidcSecurityContext(accessTokenString, accessToken, null, null);
+        OidcPrincipal oidcPrincipal = new OidcPrincipal("alice", oidcSecurityContext);
+
+        // Serialize
+        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
+        objectOutputStream.writeObject(oidcPrincipal);
+        objectOutputStream.close();
+
+        //deserialize
+        byte[] bytes = byteArrayOutputStream.toByteArray();
+        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
+        ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
+        OidcPrincipal deserializedOidcPrincipal = (OidcPrincipal)objectInputStream.readObject();
+        OidcSecurityContext deserializedOidcSecurityContext = deserializedOidcPrincipal.getOidcSecurityContext();
+        AccessToken deserializedAccessToken = deserializedOidcSecurityContext.getToken();
+
+        assertEquals(accessTokenString, deserializedOidcSecurityContext.getTokenString());
+        assertEquals(KeycloakConfiguration.ALICE, deserializedOidcPrincipal.getName());
+        assertEquals(KeycloakConfiguration.ALICE, deserializedAccessToken.getPreferredUsername());
+        assertEquals("alice@gmail.com", deserializedAccessToken.getEmail());
+        assertEquals(TEST_REALM, deserializedOidcSecurityContext.getRealm());
+        objectInputStream.close();
+    }
+
     @Test
     public void testSucessfulAuthenticationWithAuthServerUrl() throws Exception {
         performBearerAuthentication(getOidcConfigurationInputStream(), SECURED_ENDPOINT, KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD,