24443935890

Committed 15 Apr 2026 08:17AM UTC coverage: 4.386% (-0.02%) from 4.405%

Build # 24443935890

Build Type

Pull #22

github

Committed by

web-flow

Commit Message

Merge e7c2c13d7 into 43c1767e0

Pull Request Pull Request #22: [BUGFIX] Invalidate Symfony session when Keycloak session expired

Coverage Stats

0 of 1 new or added line in 1 file covered. (0.0%)

16 existing lines in 1 file now uncovered.

10 of 228 relevant lines covered (4.39%)

9.36 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/src/EventSubscriber/RequestSubscriber.php

<?php declare(strict_types=1);

/*
 * This file is part of the package t3g/symfony-keycloak-bundle.
 *
 * For the full copyright and license information, please read the
 * LICENSE file that was distributed with this source code.
 */

namespace T3G\Bundle\Keycloak\EventSubscriber;

use KnpU\OAuth2ClientBundle\Client\ClientRegistry;
use KnpU\OAuth2ClientBundle\Client\OAuth2ClientInterface;
use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
use League\OAuth2\Client\Token\AccessToken;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\Routing\RouterInterface;
use T3G\Bundle\Keycloak\Security\KeyCloakAuthenticator;

class RequestSubscriber implements EventSubscriberInterface
{
    private OAuth2ClientInterface $client;
    private RouterInterface $router;

    public function __construct(ClientRegistry $clientRegistry, RouterInterface $router)
    {
        $this->client = $clientRegistry->getClient('keycloak');
        $this->router = $router;
    }

    public static function getSubscribedEvents(): array
    {
        return [
            RequestEvent::class => ['refreshAccessToken', 10],
        ];
    }

    public function refreshAccessToken(RequestEvent $event): void
    {
        $request = $event->getRequest();
        if ('logout' === $request->attributes->get('_route')) {
            // Don't try to refresh access token on logout page
            return;
        }

        $session = $request->getSession();
        /** @var ?AccessToken $accessToken */
        $accessToken = $session->get(KeyCloakAuthenticator::SESSION_KEYCLOAK_ACCESS_TOKEN);
        if ($accessToken?->hasExpired()) {
            try {
                $accessToken = $this->client->refreshAccessToken((string)$accessToken->getRefreshToken());
                $session->set(KeyCloakAuthenticator::SESSION_KEYCLOAK_ACCESS_TOKEN, $accessToken);
            } catch (IdentityProviderException $e) {
                if (is_string($e->getResponseBody())) {
                    /** @var array $body */
                    $body = json_decode($e->getResponseBody(), true, 512, JSON_THROW_ON_ERROR);
                } else {
                    $body = $e->getResponseBody();
                }

                if ('invalid_grant' === $body['error']) {
                    // User had a keycloak session, but refreshing the access token failed. Enforce logout.
                    $session->invalidate();
                    $response = new RedirectResponse(
                        $this->router->generate('logout'),
                        Response::HTTP_TEMPORARY_REDIRECT
                    );
                    $event->setResponse($response);
                    return;
                }

                throw $e;
            }
        }
    }
}

1	<?php declare(strict_types=1);
2
3	/*
4	* This file is part of the package t3g/symfony-keycloak-bundle.
5	*
6	* For the full copyright and license information, please read the
7	* LICENSE file that was distributed with this source code.
8	*/
9
10	namespace T3G\Bundle\Keycloak\EventSubscriber;
11
12	use KnpU\OAuth2ClientBundle\Client\ClientRegistry;
13	use KnpU\OAuth2ClientBundle\Client\OAuth2ClientInterface;
14	use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
15	use League\OAuth2\Client\Token\AccessToken;
16	use Symfony\Component\EventDispatcher\EventSubscriberInterface;
17	use Symfony\Component\HttpFoundation\RedirectResponse;
18	use Symfony\Component\HttpFoundation\Response;
19	use Symfony\Component\HttpKernel\Event\RequestEvent;
20	use Symfony\Component\Routing\RouterInterface;
21	use T3G\Bundle\Keycloak\Security\KeyCloakAuthenticator;
22
23	class RequestSubscriber implements EventSubscriberInterface
24	{
25	private OAuth2ClientInterface $client;
26	private RouterInterface $router;
27
28	public function __construct(ClientRegistry $clientRegistry, RouterInterface $router)
29	{
UNCOV 30	$this->client = $clientRegistry->getClient('keycloak');	×
UNCOV 31	$this->router = $router;	×
32	}
33
34	public static function getSubscribedEvents(): array
35	{
36	return [	×
UNCOV 37	RequestEvent::class => ['refreshAccessToken', 10],	×
UNCOV 38	];	×
39	}
40
41	public function refreshAccessToken(RequestEvent $event): void
42	{
UNCOV 43	$request = $event->getRequest();	×
44	if ('logout' === $request->attributes->get('_route')) {	×
45	// Don't try to refresh access token on logout page
UNCOV 46	return;	×
47	}
48
49	$session = $request->getSession();	×
50	/** @var ?AccessToken $accessToken */
UNCOV 51	$accessToken = $session->get(KeyCloakAuthenticator::SESSION_KEYCLOAK_ACCESS_TOKEN);	×
52	if ($accessToken?->hasExpired()) {	×
53	try {
54	$accessToken = $this->client->refreshAccessToken((string)$accessToken->getRefreshToken());	×
55	$session->set(KeyCloakAuthenticator::SESSION_KEYCLOAK_ACCESS_TOKEN, $accessToken);	×
UNCOV 56	} catch (IdentityProviderException $e) {	×
57	if (is_string($e->getResponseBody())) {	×
58	/** @var array $body */
59	$body = json_decode($e->getResponseBody(), true, 512, JSON_THROW_ON_ERROR);	×
60	} else {
UNCOV 61	$body = $e->getResponseBody();	×
62	}
63
64	if ('invalid_grant' === $body['error']) {	×
65	// User had a keycloak session, but refreshing the access token failed. Enforce logout.
NEW UNCOV 66	$session->invalidate();	×
UNCOV 67	$response = new RedirectResponse(	×
68	$this->router->generate('logout'),	×
UNCOV 69	Response::HTTP_TEMPORARY_REDIRECT	×
UNCOV 70	);	×
UNCOV 71	$event->setResponse($response);	×
UNCOV 72	return;	×
73	}
74
UNCOV 75	throw $e;	×
76	}
77	}
78	}
79	}

TYPO3GmbH / symfony-keycloak-bundle / 24443935890

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous