Skip to content

Commit

Permalink
KEYCLOAK-8481 Don't include empty resource_access in access token
Browse files Browse the repository at this point in the history
  • Loading branch information
@mposolda @stianst
mposolda authored and stianst committed Oct 11, 2018
1 parent aaa33ad commit 5b51c00
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 3 deletions.
12 changes: 9 additions & 3 deletions core/src/main/java/org/keycloak/representations/AccessToken.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@

import java.io.Serializable;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
Expand Down Expand Up @@ -123,7 +124,7 @@ public void setCertThumbprint(String certThumbprint) {
protected Access realmAccess;

@JsonProperty("resource_access")
protected Map<String, Access> resourceAccess = new HashMap<String, Access>();
protected Map<String, Access> resourceAccess;

@JsonProperty("authorization")
protected Authorization authorization;
Expand All @@ -134,8 +135,9 @@ public void setCertThumbprint(String certThumbprint) {
@JsonProperty("scope")
protected String scope;

@JsonIgnore
public Map<String, Access> getResourceAccess() {
return resourceAccess;
return resourceAccess == null ? Collections.<String, Access>emptyMap() : resourceAccess;
}

public void setResourceAccess(Map<String, Access> resourceAccess) {
Expand Down Expand Up @@ -172,10 +174,14 @@ public boolean isVerifyCaller(String resource) {

@JsonIgnore
public Access getResourceAccess(String resource) {
return resourceAccess.get(resource);
return resourceAccess == null ? null : resourceAccess.get(resource);
}

public Access addAccess(String service) {
if (resourceAccess == null) {
resourceAccess = new HashMap<>();
}

Access access = resourceAccess.get(service);
if (access != null) return access;
access = new Access();
Expand Down
21 changes: 21 additions & 0 deletions core/src/test/java/org/keycloak/SkeletonKeyTokenTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,27 @@ public void testSerialization() throws Exception {
ois.close();
}


@Test
public void testTokenWithoutResourceAccess() throws Exception {
AccessToken token = new AccessToken();
token.id("111");
token.issuer("http://localhost:8080/auth/acme");

String json = JsonSerialization.writeValueAsString(token);

// Assert JSON doesn't contain "realm_access" or "resource_access" fields as it doesn't have any roles specified
Assert.assertFalse(json.contains("realm_access"));
Assert.assertFalse(json.contains("resource_access"));

token = JsonSerialization.readValue(json, AccessToken.class);

Assert.assertNull(token.getRealmAccess());
Assert.assertTrue(token.getResourceAccess() != null && token.getResourceAccess().isEmpty());
Assert.assertNull(token.getResourceAccess("foo"));
}


private AccessToken createSimpleToken() {
AccessToken token = new AccessToken();
token.id("111");
Expand Down
8 changes: 8 additions & 0 deletions ...illian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OIDCProtocolMappersTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.common.util.UriUtils;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.models.AccountRoles;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocolFactory;
Expand All @@ -50,6 +51,8 @@
import org.keycloak.testsuite.util.ProtocolMapperUtil;

import javax.ws.rs.core.Response;

import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
Expand Down Expand Up @@ -402,6 +405,11 @@ public void testUserRolesMovedFromAccessTokenProperties() throws Exception {
Assert.assertNull(accessToken.getRealmAccess());
Assert.assertTrue(accessToken.getResourceAccess().isEmpty());

// KEYCLOAK-8481 Assert that accessToken JSON doesn't have "realm_access" or "resource_access" fields in it
String accessTokenJson = new String(new JWSInput(response.getAccessToken()).getContent(), StandardCharsets.UTF_8);
Assert.assertFalse(accessTokenJson.contains("realm_access"));
Assert.assertFalse(accessTokenJson.contains("resource_access"));

// Assert both realm and client roles on the new position. Hardcoded role should be here as well
Map<String, Object> cst1 = (Map<String, Object>) accessToken.getOtherClaims().get("custom");
List<String> roles = (List<String>) cst1.get("roles");
Expand Down

0 comments on commit 5b51c00

Please sign in to comment.