24445315431

Committed 15 Apr 2026 08:49AM UTC coverage: 4.484% (+0.08%) from 4.405%

Build # 24445315431

Build Type

Pull #22

github

Committed by

web-flow

Commit Message

Merge 65a4db871 into 43c1767e0

Pull Request Pull Request #22: [BUGFIX] Invalidate Symfony session when Keycloak session expired

Coverage Stats

0 of 2 new or added lines in 2 files covered. (0.0%)

1 existing line in 1 file now uncovered.

10 of 223 relevant lines covered (4.48%)

9.57 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/src/EventSubscriber/RequestSubscriber.php

<?php declare(strict_types=1);

/*
 * This file is part of the package t3g/symfony-keycloak-bundle.
 *
 * For the full copyright and license information, please read the
 * LICENSE file that was distributed with this source code.
 */

namespace T3G\Bundle\Keycloak\EventSubscriber;

use KnpU\OAuth2ClientBundle\Client\ClientRegistry;
use KnpU\OAuth2ClientBundle\Client\OAuth2ClientInterface;
use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
use League\OAuth2\Client\Token\AccessToken;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\Routing\RouterInterface;
use T3G\Bundle\Keycloak\Security\KeyCloakAuthenticator;

class RequestSubscriber implements EventSubscriberInterface
{
    private OAuth2ClientInterface $client;
    private RouterInterface $router;

    public function __construct(ClientRegistry $clientRegistry, RouterInterface $router)
    {
        $this->client = $clientRegistry->getClient('keycloak');
        $this->router = $router;
    }

    public static function getSubscribedEvents(): array
    {
        return [
            RequestEvent::class => ['refreshAccessToken', 10],
        ];
    }

    public function refreshAccessToken(RequestEvent $event): void
    {
        $request = $event->getRequest();
        if ('logout' === $request->attributes->get('_route')) {
            // Don't try to refresh access token on logout page
            return;
        }

        $session = $request->getSession();
        /** @var ?AccessToken $accessToken */
        $accessToken = $session->get(KeyCloakAuthenticator::SESSION_KEYCLOAK_ACCESS_TOKEN);
        if ($accessToken?->hasExpired()) {
            try {
                $accessToken = $this->client->refreshAccessToken((string)$accessToken->getRefreshToken());
                $session->set(KeyCloakAuthenticator::SESSION_KEYCLOAK_ACCESS_TOKEN, $accessToken);
            } catch (IdentityProviderException $e) {
                if (is_string($e->getResponseBody())) {
                    /** @var array $body */
                    $body = json_decode($e->getResponseBody(), true, 512, JSON_THROW_ON_ERROR);
                } else {
                    $body = $e->getResponseBody();
                }

                if ('invalid_grant' === $body['error']) {
                    // User had a keycloak session, but refreshing the access token failed. Enforce logout in Symfony.
                    $session->invalidate();
                    return;
                }

                throw $e;
            }
        }
    }
}

1	<?php declare(strict_types=1);
2
3	/*
4	* This file is part of the package t3g/symfony-keycloak-bundle.
5	*
6	* For the full copyright and license information, please read the
7	* LICENSE file that was distributed with this source code.
8	*/
9
10	namespace T3G\Bundle\Keycloak\EventSubscriber;
11
12	use KnpU\OAuth2ClientBundle\Client\ClientRegistry;
13	use KnpU\OAuth2ClientBundle\Client\OAuth2ClientInterface;
14	use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
15	use League\OAuth2\Client\Token\AccessToken;
16	use Symfony\Component\EventDispatcher\EventSubscriberInterface;
17	use Symfony\Component\HttpKernel\Event\RequestEvent;
18	use Symfony\Component\Routing\RouterInterface;
19	use T3G\Bundle\Keycloak\Security\KeyCloakAuthenticator;
20
21	class RequestSubscriber implements EventSubscriberInterface
22	{
23	private OAuth2ClientInterface $client;
24	private RouterInterface $router;
25
26	public function __construct(ClientRegistry $clientRegistry, RouterInterface $router)
27	{
28	$this->client = $clientRegistry->getClient('keycloak');	×
29	$this->router = $router;	×
30	}
31
32	public static function getSubscribedEvents(): array
33	{
34	return [	×
35	RequestEvent::class => ['refreshAccessToken', 10],	×
36	];	×
37	}
38
39	public function refreshAccessToken(RequestEvent $event): void
40	{
41	$request = $event->getRequest();	×
42	if ('logout' === $request->attributes->get('_route')) {	×
43	// Don't try to refresh access token on logout page
44	return;	×
45	}
46
47	$session = $request->getSession();	×
48	/** @var ?AccessToken $accessToken */
49	$accessToken = $session->get(KeyCloakAuthenticator::SESSION_KEYCLOAK_ACCESS_TOKEN);	×
50	if ($accessToken?->hasExpired()) {	×
51	try {
52	$accessToken = $this->client->refreshAccessToken((string)$accessToken->getRefreshToken());	×
53	$session->set(KeyCloakAuthenticator::SESSION_KEYCLOAK_ACCESS_TOKEN, $accessToken);	×
54	} catch (IdentityProviderException $e) {	×
55	if (is_string($e->getResponseBody())) {	×
56	/** @var array $body */
57	$body = json_decode($e->getResponseBody(), true, 512, JSON_THROW_ON_ERROR);	×
58	} else {
59	$body = $e->getResponseBody();	×
60	}
61
62	if ('invalid_grant' === $body['error']) {	×
63	// User had a keycloak session, but refreshing the access token failed. Enforce logout in Symfony.
NEW 64	$session->invalidate();	×
UNCOV 65	return;	×
66	}
67
68	throw $e;	×
69	}
70	}
71	}
72	}

TYPO3GmbH / symfony-keycloak-bundle / 24445315431

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous