diff --git a/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java b/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java
index 8e8c576..0785420 100644
--- a/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java
+++ b/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java
@@ -153,7 +153,8 @@ public class RestartLoginCookie {
}
String encodedCookie = cook.getValue();
JWSInput input = new JWSInput(encodedCookie);
- SecretKey secretKey = session.keys().getHmacSecretKey(realm, input.getHeader().getKeyId());
+ String kid = input.getHeader().getKeyId();
+ SecretKey secretKey = kid == null ? session.keys().getActiveHmacKey(realm).getSecretKey() : session.keys().getHmacSecretKey(realm, input.getHeader().getKeyId());
if (secretKey == null) {
logger.debug("Failed to retrieve HMAC secret key for session restart");
return null;
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java
index 375070b..0bac68d 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java
@@ -88,9 +88,9 @@ public class RestartCookieTest extends AbstractTestRealmKeycloakTest {
}
- // KEYCLOAK-5440
+ // KEYCLOAK-5440 -- migration from Keycloak 3.1.0
@Test
- public void testRestartCookieBackwardsCompatible() throws IOException, MessagingException {
+ public void testRestartCookieBackwardsCompatible_Keycloak25() throws IOException, MessagingException {
String oldRestartCookie = testingClient.server().fetchString((KeycloakSession session) -> {
try {
String cookieVal = OLD_RESTART_COOKIE_JSON.replace("\n", "").replace(" ", "");
@@ -125,4 +125,44 @@ public class RestartCookieTest extends AbstractTestRealmKeycloakTest {
.client((String) null)
.assertEvent();
}
+
+
+ // KEYCLOAK-7158 -- migration from Keycloak 1.9.8
+ @Test
+ public void testRestartCookieBackwardsCompatible_Keycloak19() throws IOException, MessagingException {
+ String oldRestartCookie = testingClient.server().fetchString((KeycloakSession session) -> {
+ try {
+ String cookieVal = OLD_RESTART_COOKIE_JSON.replace("\n", "").replace(" ", "");
+ RealmModel realm = session.realms().getRealmByName("test");
+
+ KeyManager.ActiveHmacKey activeKey = session.keys().getActiveHmacKey(realm);
+
+ // There was no KID in the token in Keycloak 1.9.8
+ String encodedToken = new JWSBuilder()
+ //.kid(activeKey.getKid())
+ .content(cookieVal.getBytes("UTF-8"))
+ .hmac256(activeKey.getSecretKey());
+
+ return encodedToken;
+
+
+ } catch (IOException ioe) {
+ throw new RuntimeException(ioe);
+ }
+ });
+
+ oauth.openLoginForm();
+
+ driver.manage().deleteAllCookies();
+ driver.manage().addCookie(new Cookie(RestartLoginCookie.KC_RESTART, oldRestartCookie));
+
+ loginPage.login("foo", "bar");
+ loginPage.assertCurrent();
+ Assert.assertEquals("You took too long to login. Login process starting from beginning.", loginPage.getError());
+
+ events.expectLogin().user((String) null).session((String) null).error(Errors.EXPIRED_CODE).clearDetails()
+ .detail(Details.RESTART_AFTER_TIMEOUT, "true")
+ .client((String) null)
+ .assertEvent();
+ }
}
