Add the nonce attribute when the client session context is recreated (#33422)

Closes #33355 Signed-off-by: rmartinc <rmartinc@redhat.com> Co-authored-by: Tomas Kralik <tomas.kralik@pbktechnology.cz> (cherry picked from commit 6e471a84773a6952a8cb3d87efcb5d61ac643ecd)
2026-01-09 15:02:05 -03:30 · 2024-10-02 09:44:25 +02:00 · 2024-10-02 09:44:25 +02:00 · 3760161268
commit 3760161268
parent 306ca1ca07
2 changed files with 29 additions and 8 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
@ -1118,8 +1118,12 @@ public class TokenManager {
            String scope = oldRefreshToken.getScope();
            Object reuseId = oldRefreshToken.getOtherClaims().get(Constants.REUSE_ID);
            boolean offlineTokenRequested = Arrays.asList(scope.split(" ")).contains(OAuth2Constants.OFFLINE_ACCESS) ;
-            if (offlineTokenRequested)
+            if (offlineTokenRequested) {
                clientSessionCtx = DefaultClientSessionContext.fromClientSessionAndScopeParameter(clientSession, scope, session);
+                if (oldRefreshToken.getNonce() != null) {
+                    clientSessionCtx.setAttribute(OIDCLoginProtocol.NONCE_PARAM, oldRefreshToken.getNonce());
+                }
+            }
            generateRefreshToken(offlineTokenRequested);
            if (realm.isRevokeRefreshToken()) {
                refreshToken.getOtherClaims().put(Constants.REUSE_ID, reuseId);
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/NonceBackwardsCompatibleMapperTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/NonceBackwardsCompatibleMapperTest.java
@ -46,6 +46,7 @@ import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.admin.ApiUtil;
 import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
 import org.keycloak.testsuite.util.OAuthClient;
+import org.keycloak.util.TokenUtil;

 /**
 *
@ -62,7 +63,7 @@ public class NonceBackwardsCompatibleMapperTest extends AbstractTestRealmKeycloa

    @Test
    public void testNonceWithoutMapper() throws JsonProcessingException {
-        testNonce(false);
+        testNonce(false, false);
    }

    @Test
@ -70,7 +71,18 @@ public class NonceBackwardsCompatibleMapperTest extends AbstractTestRealmKeycloa
        ClientResource testApp = ApiUtil.findClientByClientId(testRealm(), "test-app");
        String mapperId = createNonceMapper(testApp);
        try {
-            testNonce(true);
+            testNonce(true, false);
+        } finally {
+            testApp.getProtocolMappers().delete(mapperId);
+        }
+    }
+
+    @Test
+    public void testOfflineSessionNonceWithMapper() throws JsonProcessingException {
+        ClientResource testApp = ApiUtil.findClientByClientId(testRealm(), "test-app");
+        String mapperId = createNonceMapper(testApp);
+        try {
+            testNonce(true, true);
        } finally {
            testApp.getProtocolMappers().delete(mapperId);
        }
@ -142,9 +154,12 @@ public class NonceBackwardsCompatibleMapperTest extends AbstractTestRealmKeycloa
        testIntrospection(idTokenString, nonce, true);
    }

-    private void testNonce(boolean mapper) throws JsonProcessingException {
+    private void testNonce(boolean mapper, boolean offlineSession) throws JsonProcessingException {
        String nonce = KeycloakModelUtils.generateId();
        oauth.nonce(nonce);
+        if (offlineSession) {
+            oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
+        }
        oauth.doLogin("test-user@localhost", "password");
        EventRepresentation loginEvent = events.expectLogin().assertEvent();

@ -158,12 +173,14 @@ public class NonceBackwardsCompatibleMapperTest extends AbstractTestRealmKeycloa
        RefreshToken refreshToken = oauth.parseRefreshToken(response.getRefreshToken());
        checkNonce(nonce, refreshToken.getNonce(), mapper);

-        EventRepresentation tokenEvent = events.expectCodeToToken(loginEvent.getDetails().get(Details.CODE_ID),
-                loginEvent.getSessionId()).assertEvent();
+        EventRepresentation tokenEvent = events.expectCodeToToken(loginEvent.getDetails().get(Details.CODE_ID), loginEvent.getSessionId())
+                .detail(Details.REFRESH_TOKEN_TYPE, offlineSession? TokenUtil.TOKEN_TYPE_OFFLINE : TokenUtil.TOKEN_TYPE_REFRESH)
+                .assertEvent();

        response = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password");
-        events.expectRefresh(tokenEvent.getDetails().get(Details.REFRESH_TOKEN_ID),
-                loginEvent.getSessionId()).assertEvent();
+        events.expectRefresh(tokenEvent.getDetails().get(Details.REFRESH_TOKEN_ID), loginEvent.getSessionId())
+                .detail(Details.REFRESH_TOKEN_TYPE, offlineSession? TokenUtil.TOKEN_TYPE_OFFLINE : TokenUtil.TOKEN_TYPE_REFRESH)
+                .assertEvent();

        token = oauth.verifyToken(response.getAccessToken());
        checkNonce(nonce, token.getNonce(), mapper);