Details

    • Type: Sub-task
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 3.4.0.CR1
    • Component/s: None
    • Labels:
      None
    • Docs QE Status:
      NEW
    • QE Status:
      ASSIGNED

      Description

      OIDC requires that code-to-token request will pass with same code just once. In other words, code can be exchanged just once for the access token.

      We currently ensure it's true for both single-node and clustered setup. Tests are:

      ConcurrentLoginTest.concurrentCodeReuseShouldFail
      ConcurrentLoginClusterTest.concurrentCodeReuseShouldFail
      

      However in cross-dc, this is currently failing and ConcurrentLoginCrossDCTest.concurrentCodeReuseShouldFail test is ignored.

      We need either:

      • Ensure it works in cross-dc too. Then we can "un-ignore" test ConcurrentLoginCrossDCTest.concurrentCodeReuseShouldFail() . This will be ideal, but probably hard (or impossible) to achieve.
      • Ensure that if an attempt to exchange same code is detected (for example through the clientListeners) the clientSession is invalidated. So it will be possible that code-to-token will pass 2 times, but the clientSession will be then invalidated on Keycloak server side. This will require new test, but probably ConcurrentLoginCrossDCTest.concurrentCodeReuseShouldFail() will need to stay commented.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                mposolda Marek Posolda
                Reporter:
                mposolda Marek Posolda
                Tester:
                Vlastislav Ramik
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: