Revoked token cache expiration fix

Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token. Closes #26113 Signed-off-by: graziang <g.graziano94@gmail.com> (cherry picked from commit 54b40d31b6)
2025-12-30 11:29:57 -06:00 · 2024-03-06 18:12:03 +01:00
parent 1f2ddde6f3
commit ec4b43bca2
2 changed files with 22 additions and 1 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenRevocationEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenRevocationEndpoint.java
@@ -257,7 +257,7 @@ public class TokenRevocationEndpoint {
    private void revokeAccessToken() {
        SingleUseObjectProvider singleUseStore = session.singleUseObjects();
        int currentTime = Time.currentTime();
-        long lifespanInSecs = Math.max(token.getExp() - currentTime, 10);
+        long lifespanInSecs = Math.max(token.getExp() - currentTime + 1, 10);
        singleUseStore.put(token.getId() + SingleUseObjectProvider.REVOKED_KEY, lifespanInSecs, Collections.emptyMap());
    }
 }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenRevocationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenRevocationTest.java
@@ -71,6 +71,7 @@ import org.keycloak.testsuite.util.OAuthClient;
 import org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse;
 import org.keycloak.testsuite.util.RealmBuilder;
 import org.keycloak.testsuite.util.UserInfoClientUtil;
+import org.keycloak.testsuite.util.InfinispanTestTimeServiceRule;
 import org.keycloak.util.JsonSerialization;

 /**
@@ -86,6 +87,9 @@ public class TokenRevocationTest extends AbstractKeycloakTest {
    @Rule
    public AssertEvents events = new AssertEvents(this);

+    @Rule
+    public InfinispanTestTimeServiceRule ispnTestTimeService = new InfinispanTestTimeServiceRule(this);
+
    @Override
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
@@ -173,6 +177,23 @@ public class TokenRevocationTest extends AbstractKeycloakTest {
        isAccessTokenDisabled(tokenResponse.getAccessToken(), "test-app");
    }

+    @Test
+    public void testRevokedAccessTokenCacheLifespan() throws Exception {
+        oauth.clientId("test-app");
+        OAuthClient.AccessTokenResponse tokenResponse = oauth.doGrantAccessTokenRequest("password", "test-user@localhost", "password");
+
+        isTokenEnabled(tokenResponse, "test-app");
+
+        CloseableHttpResponse response = oauth.doTokenRevoke(tokenResponse.getAccessToken(), "access_token", "password");
+        assertThat(response, Matchers.statusCodeIsHC(Status.OK));
+
+        setTimeOffset(adminClient.realm(oauth.getRealm()).toRepresentation().getAccessTokenLifespan());
+
+        isAccessTokenDisabled(tokenResponse.getAccessToken(), "test-app");
+
+        setTimeOffset(0);
+    }
+
    @Test
    public void testRevokeOfflineToken() throws Exception {
        oauth.scope(OAuth2Constants.OFFLINE_ACCESS);