TOMEE-4592 - handle token refresh failure more gracefully

jungm · jungm · commit e934d562de8c · 2026-03-20T15:35:41.000+01:00
(cherry picked from commit 6c6a805)
diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanism.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanism.java
@@ -167,7 +167,11 @@ protected AuthenticationStatus handleExpiredTokens(HttpServletRequest request, H
     protected AuthenticationStatus refreshTokens(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) {
         try (Client client = ClientBuilder.newClient()) {
             RefreshToken refreshToken = openIdContext.getRefreshToken()
-                    .orElseThrow(() -> new IllegalArgumentException("Cannot refresh tokens, no refresh_token received"));
+                    .orElse(null);
+
+            if (refreshToken == null) {
+                throw new IllegalStateException("Cannot refresh tokens, no refresh_token received");
+            }
 
             Form form = new Form()
                     .param(OpenIdConstant.CLIENT_ID, definition.clientId())
@@ -182,9 +186,9 @@ protected AuthenticationStatus refreshTokens(HttpServletRequest request, HttpSer
             return handleTokenResponse(tokenResponse, httpMessageContext);
 
         } catch (Exception e) {
+            LOGGER.warning("Token refresh failed, logging out the current subject", e);
             cleanSubject(request, response, httpMessageContext);
-
-            throw e;
+            return AuthenticationStatus.SEND_FAILURE;
         }
     }
 
diff --git a/tomee/tomee-security/src/test/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanismTest.java b/tomee/tomee-security/src/test/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanismTest.java
@@ -31,6 +31,8 @@
 import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.enterprise.inject.Vetoed;
 import jakarta.inject.Inject;
+import jakarta.security.enterprise.AuthenticationStatus;
+import jakarta.security.enterprise.authentication.mechanism.http.HttpMessageContext;
 import jakarta.security.enterprise.authentication.mechanism.http.OpenIdAuthenticationMechanismDefinition;
 import jakarta.security.enterprise.authentication.mechanism.http.openid.DisplayType;
 import jakarta.security.enterprise.authentication.mechanism.http.openid.PromptType;
@@ -40,11 +42,12 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 @Vetoed
 @RunWith(ApplicationComposer.class)
-@Classes(cdi = true, value = {OpenIdAuthenticationMechanism.class, TomEEOpenIdContext.class, OpenIdAuthenticationMechanismTest.SimpleStorageHandler.class})
+@Classes(cdi = true, value = {OpenIdAuthenticationMechanismTest.TestOpenIdAuthenticationMechanism.class, TomEEOpenIdContext.class, OpenIdAuthenticationMechanismTest.SimpleStorageHandler.class})
 public class OpenIdAuthenticationMechanismTest {
 
     @Inject
@@ -72,6 +75,8 @@ public void configureMockedDefinition() {
         when(definition.display()).thenReturn(null);
         when(definition.prompt()).thenReturn(new PromptType[0]);
         when(definition.extraParameters()).thenReturn(new String[0]);
+        when(definition.logout().notifyProvider()).thenReturn(false);
+        when(definition.logout().redirectURI()).thenReturn("");
     }
 
     @Test
@@ -140,6 +145,25 @@ public void authorizationExtraParametersMalformed() {
         assertThrows(IllegalArgumentException.class, () -> authenticationMechanism.buildAuthorizationUri(null, null));
     }
 
+    @Test
+    public void refreshTokenFailureDoesNotThrow() {
+        HttpServletRequest request = mock(HttpServletRequest.class);
+        HttpServletResponse response = mock(HttpServletResponse.class);
+        HttpMessageContext messageContext = mock(HttpMessageContext.class, Answers.RETURNS_DEEP_STUBS);
+        when(request.getRequestURL()).thenReturn(new StringBuffer("https://example.com/app"));
+
+        assertEquals(AuthenticationStatus.SEND_FAILURE,
+                authenticationMechanism.refreshTokens(request, response, messageContext));
+    }
+
+    @ApplicationScoped
+    public static class TestOpenIdAuthenticationMechanism extends OpenIdAuthenticationMechanism {
+        @Override
+        public void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) {
+            // no-op for this focused failure-path test
+        }
+    }
+
     @ApplicationScoped
     protected static class SimpleStorageHandler extends OpenIdStorageHandler {
 
@@ -170,4 +194,4 @@ public void delete(HttpServletRequest request, HttpServletResponse response, Str
 
         }
     }
-}
+}
