- adding a authors file

- adding the build status and the godoc link
- renaming the config file to sample
- adding the refresh token expiration error
- clearing up the cookie if need be
- fixed up the travis build file

.gitignore

@@ -3,6 +3,7 @@
 bin/
 release/
 *.iml
+config.yml
 
 # Compiled Object files, Static and Dynamic libs (Shared Objects)
 *.o

.travis.yml

@@ -8,4 +8,5 @@ language: go
 go:
   - 1.5
 install:
+  - go get github.com/tools/godep
   - make test

AUTHORS

+Rohith <gambol99@gmail.com>

README.md

+[![Build Status](https://travis-ci.org/gambol99/keycloak-proxy.svg?branch=master)](https://travis-ci.org/gambol99/keycloak-proxy)
+[![GoDoc](http://godoc.org/github.com/gambol99/keycloak-proxy?status.png)](http://godoc.org/github.com/gambol99/keycloak-proxy)
+
 ### **Keycloak Proxy**
 ----
 

doc.go

@@ -60,6 +60,8 @@ var (
 	ErrInvalidSession = errors.New("invalid session identifier")
 	// ErrAccessTokenExpired indicates the access token has expired
 	ErrAccessTokenExpired = errors.New("the access token has expired")
+	// ErrRefreshTokenExpired indicates the refresh token as expired
+	ErrRefreshTokenExpired = errors.New("the refresh token has expired")
 )
 
 // KeycloakProxy is the sever component

handlers.go

@@ -123,7 +123,7 @@ func (r *KeycloakProxy) admissionHandler(cx *gin.Context) {
 			}
 			// step: we need to check the roles
 			if !hasRoles(resource.RolesAllowed, identity.roles) {
-				glog.Errorf("[denied] resource: %s invalid roles", resource)
+				glog.Errorf("[denied] resource: %s invalid roles, issued: %s", resource, identity.roles)
 				r.accessForbidden(cx)
 				return
 			}

oauth.go

@@ -104,9 +104,27 @@ func (r *KeycloakProxy) callbackHandler(cx *gin.Context) {
 
 	// step: do we have session data to persist?
 	if r.config.RefreshSession {
+		// step: parse the token
+		_, ident, err := r.parseToken(response.RefreshToken)
+		if err != nil {
+			glog.Errorf("failed to parse the refresh token, reason: %s", err)
+			cx.AbortWithStatus(http.StatusInternalServerError)
+			return
+		}
+
+		glog.Infof("retrieved the refresh token for user: %s, expires at: %s", identity, ident.ExpiresAt)
+
+		// step: create the state session
 		state := &SessionState{
 			refreshToken: response.RefreshToken,
-			expireOn:     time.Now().Add(r.config.MaxSessionDuration),
+		}
+
+		max_session := time.Now().Add(r.config.MaxSessionDuration)
+		switch max_session.After(ident.ExpiresAt) {
+		case true:
+			state.expireOn = ident.ExpiresAt
+		default:
+			state.expireOn = max_session
 		}
 
 		if err := r.createSessionState(state, cx); err != nil {
@@ -124,14 +142,19 @@ func (r *KeycloakProxy) refreshAccessToken(refreshToken string) (jose.JWT, time.
 	// step: refresh the access token
 	response, err := r.getToken(oauth2.GrantTypeRefreshToken, refreshToken)
 	if err != nil {
+		if strings.Contains(err.Error(), "token expired") {
+			return jose.JWT{}, time.Time{}, ErrRefreshTokenExpired
+		}
 		return jose.JWT{}, time.Time{}, err
 	}
 
+	// step: parse the access token
 	token, identity, err := r.parseToken(response.AccessToken)
 	if err != nil {
 		return jose.JWT{}, time.Time{}, err
 	}
 
+
 	return token, identity.ExpiresAt, nil
 }
 

session.go

@@ -46,6 +46,12 @@ func (r *KeycloakProxy) refreshUserSessionToken(cx *gin.Context) (jose.JWT, erro
 	// step: attempts to refresh the access token
 	token, expires, err := r.refreshAccessToken(state.refreshToken)
 	if err != nil {
+		// step: has the refresh token expired
+		if err == ErrRefreshTokenExpired {
+			glog.Warningf("the refresh token has expired: %s", token)
+			http.SetCookie(cx.Writer, createSessionStateCookie(token.Encode(), cx.Request.Host, time.Now()))
+		}
+
 		glog.Errorf("failed to refresh the access token, reason: %s", err)
 		return jose.JWT{}, err
 	}