Skip to content

Commit

Permalink
Remove the session cookie if ID token verification failed
Browse files Browse the repository at this point in the history
  • Loading branch information
sberyozkin committed Mar 23, 2023
1 parent 611f79f commit 25b68f0
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -321,8 +321,9 @@ public Uni<? extends SecurityIdentity> apply(Throwable t) {

if (!expired) {
LOG.errorf("ID token verification failure: %s", t.getCause());
return Uni.createFrom()
.failure(new AuthenticationCompletionException(t.getCause()));
return removeSessionCookie(context, configContext.oidcConfig)
.replaceWith(Uni.createFrom()
.failure(new AuthenticationCompletionException(t.getCause())));
}
// Token has expired, try to refresh
if (session.getRefreshToken() == null) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -564,6 +564,22 @@ public void testIdTokenInjection() throws IOException {
page = webClient.getPage("http://localhost:8081/web-app");

assertEquals("alice", page.getBody().asNormalizedText());

Cookie sessionCookie = getSessionCookie(webClient, null);
assertNotNull(sessionCookie);
webClient.getCookieManager().clearCookies();
webClient.getCookieManager().addCookie(new Cookie(sessionCookie.getDomain(), sessionCookie.getName(),
"1|2|3"));
sessionCookie = getSessionCookie(webClient, null);
assertEquals("1|2|3", sessionCookie.getValue());

try {
webClient.getPage("http://localhost:8081/web-app");
fail("401 status error is expected");
} catch (FailingHttpStatusCodeException ex) {
assertEquals(401, ex.getStatusCode());
assertNull(getSessionCookie(webClient, null));
}
webClient.getCookieManager().clearCookies();
}
}
Expand Down

0 comments on commit 25b68f0

Please sign in to comment.