diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
index 769947a..10c9516 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
@@ -203,17 +203,6 @@ public class TokenManager {
return false;
}
- UserModel user = session.users().getUserById(token.getSubject(), realm);
- if (user == null) {
- return false;
- }
- if (!user.isEnabled()) {
- return false;
- }
- if (token.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) {
- return false;
- }
-
ClientModel client = realm.getClientByClientId(token.getIssuedFor());
if (client == null || !client.isEnabled() || token.getIssuedAt() < client.getNotBefore()) {
return false;
@@ -224,6 +213,16 @@ public class TokenManager {
return true;
}
+ UserModel user = userSession.getUser();
+ if (user == null) {
+ return false;
+ }
+ if (!user.isEnabled()) {
+ return false;
+ }
+ if (token.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) {
+ return false;
+ }
userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, token.getSessionState(), true, client.getId());
if (AuthenticationManager.isOfflineSessionValid(realm, userSession)) {
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java
index 0601879..45bcb7b 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java
@@ -18,6 +18,8 @@
package org.keycloak.testsuite.client;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.commons.lang.StringUtils;
import org.junit.Before;
import org.junit.Test;
@@ -44,9 +46,11 @@ import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.UserInfoClientUtil;
import org.keycloak.testsuite.util.UserManager;
+import org.keycloak.util.JsonSerialization;
import javax.ws.rs.client.Client;
import javax.ws.rs.core.Response;
+import java.io.IOException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
@@ -408,6 +412,22 @@ public class OIDCPairwiseClientRegistrationTest extends AbstractClientRegistrati
}
@Test
+ public void introspectPairwiseAccessToken() throws Exception {
+ // Create a pairwise client
+ OIDCClientRepresentation pairwiseClient = createPairwise();
+
+ // Login to pairwise client
+ OAuthClient.AccessTokenResponse accessTokenResponse = login(pairwiseClient, "test-user@localhost", "password");
+
+ String introspectionResponse = oauth.introspectAccessTokenWithClientCredential(pairwiseClient.getClientId(), pairwiseClient.getClientSecret(), accessTokenResponse.getAccessToken());
+
+ ObjectMapper objectMapper = new ObjectMapper();
+ JsonNode jsonNode = objectMapper.readTree(introspectionResponse);
+ Assert.assertEquals(true, jsonNode.get("active").asBoolean());
+ Assert.assertEquals("test-user@localhost", jsonNode.get("email").asText());
+ }
+
+ @Test
public void refreshPairwiseTokenDeletedUser() throws Exception {
String userId = createUser(REALM_NAME, "delete-me@localhost", "password");
