OIDC requires that code-to-token request will pass with same code just once. In other words, code can be exchanged just once for the access token.
We currently ensure it's true for both single-node and clustered setup. Tests are:
However in cross-dc, this is currently failing and ConcurrentLoginCrossDCTest.concurrentCodeReuseShouldFail test is ignored.
We need either:
- Ensure it works in cross-dc too. Then we can "un-ignore" test ConcurrentLoginCrossDCTest.concurrentCodeReuseShouldFail() . This will be ideal, but probably hard (or impossible) to achieve.
- Ensure that if an attempt to exchange same code is detected (for example through the clientListeners) the clientSession is invalidated. So it will be possible that code-to-token will pass 2 times, but the clientSession will be then invalidated on Keycloak server side. This will require new test, but probably ConcurrentLoginCrossDCTest.concurrentCodeReuseShouldFail() will need to stay commented.