// KEYCLOAK-3823: Test that sending notBefore policy invalidates JWKPublicKeyLocator cache @Test public void testPublicKeyCacheInvalidatedWhenPushedNotBefore() { driver.manage().timeouts().pageLoadTimeout(1000, TimeUnit.SECONDS); // increase accessTokenLifespan to 1200 RealmRepresentation demoRealm = adminClient.realm(DEMO).toRepresentation(); demoRealm.setAccessTokenLifespan(1200); adminClient.realm(DEMO).update(demoRealm); // authenticate in tokenMinTTL app loginToTokenMinTtlApp(); String accessTokenString = tokenMinTTLPage.getAccessTokenString(); // Generate new realm public key String oldActiveKeyProviderId = getActiveKeyProvider(); generateNewRealmKey(); // Send REST request to customer-db app. It should be successfully authenticated even that token // is signed by the old key int status = invokeRESTEndpoint(accessTokenString); Assert.assertEquals(200, status); // Remove the old realm key now adminClient.realm(DEMO).components().component(oldActiveKeyProviderId).remove(); // Set some offset to ensure pushing notBefore will pass setAdapterAndServerTimeOffset( 130, customerDb.toString() + "/unsecured/foo", tokenMinTTLPage.toString() + "/unsecured/foo"); // Send notBefore policy from the realm demoRealm.setNotBefore(Time.currentTime() - 1); adminClient.realm(DEMO).update(demoRealm); GlobalRequestResult result = adminClient.realm(DEMO).pushRevocation(); Assert.assertTrue(result.getSuccessRequests().contains(customerDb.toString())); // Send REST request. New request to the publicKey cache should be sent, and key is no longer // returned as token contains the old kid status = invokeRESTEndpoint(accessTokenString); Assert.assertEquals(401, status); // Revert public keys change and time offset resetKeycloakDeploymentForAdapter(customerDb.toString() + "/unsecured/foo"); resetKeycloakDeploymentForAdapter(tokenMinTTLPage.toString() + "/unsecured/foo"); }
// KEYCLOAK-3824: Test for public-key-cache-ttl @Test public void testPublicKeyCacheTtl() { // increase accessTokenLifespan to 1200 RealmRepresentation demoRealm = adminClient.realm(DEMO).toRepresentation(); demoRealm.setAccessTokenLifespan(1200); adminClient.realm(DEMO).update(demoRealm); // authenticate in tokenMinTTL app loginToTokenMinTtlApp(); String accessTokenString = tokenMinTTLPage.getAccessTokenString(); // Send REST request to customer-db app. I should be successfully authenticated int status = invokeRESTEndpoint(accessTokenString); Assert.assertEquals(200, status); // Re-generate realm public key and remove the old key String oldActiveKeyProviderId = getActiveKeyProvider(); generateNewRealmKey(); adminClient.realm(DEMO).components().component(oldActiveKeyProviderId).remove(); // Send REST request to the customer-db app. Should be still succcessfully authenticated as the // JWKPublicKeyLocator cache is still valid status = invokeRESTEndpoint(accessTokenString); Assert.assertEquals(200, status); // TimeOffset to 900 on the REST app side. Token is still valid (1200) but JWKPublicKeyLocator // should try to download new key (public-key-cache-ttl=600) setAdapterAndServerTimeOffset(900, customerDb.toString() + "/unsecured/foo"); // Send REST request. New request to the publicKey cache should be sent, and key is no longer // returned as token contains the old kid status = invokeRESTEndpoint(accessTokenString); Assert.assertEquals(401, status); // Revert public keys change and time offset resetKeycloakDeploymentForAdapter(customerDb.toString() + "/unsecured/foo"); resetKeycloakDeploymentForAdapter(tokenMinTTLPage.toString() + "/unsecured/foo"); }