From 55184fe2196b5092d4c0b8a449c63c83b183eef3 Mon Sep 17 00:00:00 2001
From: AFaust <axel.faust@acosix.org>
Date: Thu, 20 Feb 2020 01:52:34 +0100
Subject: [PATCH] Minor ticket refresh / role permission improvements

---
 .../acosix/alfresco/keycloak/repo/client/IDMClientImpl.java | 5 +++--
 .../slingshot/documentlibrary/permissions.get.js            | 3 ++-
 .../keycloak/share/web/KeycloakAuthenticationFilter.java    | 6 +++---
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/client/IDMClientImpl.java b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/client/IDMClientImpl.java
index 709be4f..dcc59db 100644
--- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/client/IDMClientImpl.java
+++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/client/IDMClientImpl.java
@@ -555,7 +555,8 @@ public class IDMClientImpl implements InitializingBean, IDMClient
         this.tokenLock.readLock().lock();
         try
         {
-            if (this.token != null && (!this.token.canRefresh() || !this.token.shouldRefresh(this.deployment.getTokenMinimumTimeToLive())))
+            if (this.token != null && this.token.isActive()
+                    && (!this.token.canRefresh() || !this.token.shouldRefresh(this.deployment.getTokenMinimumTimeToLive())))
             {
                 validToken = this.token.getToken();
             }
@@ -570,7 +571,7 @@ public class IDMClientImpl implements InitializingBean, IDMClient
             this.tokenLock.writeLock().lock();
             try
             {
-                if (this.token != null
+                if (this.token != null && this.token.isActive()
                         && (!this.token.canRefresh() || !this.token.shouldRefresh(this.deployment.getTokenMinimumTimeToLive())))
                 {
                     validToken = this.token.getToken();
diff --git a/repository/src/main/webscripts/de/acosix/keycloak/customisations/slingshot/documentlibrary/permissions.get.js b/repository/src/main/webscripts/de/acosix/keycloak/customisations/slingshot/documentlibrary/permissions.get.js
index cbae554..e049e32 100644
--- a/repository/src/main/webscripts/de/acosix/keycloak/customisations/slingshot/documentlibrary/permissions.get.js
+++ b/repository/src/main/webscripts/de/acosix/keycloak/customisations/slingshot/documentlibrary/permissions.get.js
@@ -32,11 +32,12 @@ function process(permissions)
                 {
                     // enhance permissionObj.authority to at least add displayName
                     // may/will still look like a user in UI which only differentiates groups / users
+                    // UI does not display full authority name unless we include it in the displayName (different to authority picker)
                     permissionObj.authority = {
                         name : authority,
                         fullName : authority,
                         shortName : authority.substring(5),
-                        displayName : role.description || role.keycloakName
+                        displayName : (role.description || role.keycloakName) + ' (' + authority + ')'
                     };
                 }
             }
diff --git a/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java b/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java
index 92650da..6225d83 100644
--- a/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java
+++ b/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java
@@ -1168,19 +1168,19 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
                 // not really feasible to synchronise / lock concurrent refresh on token
                 // not a big problem - apart from wasted CPU cycles / latency - since each concurrently refreshed token is valid
                 // independently
-                if (token == null || (token.canRefresh() && token.shouldRefresh(this.keycloakDeployment.getTokenMinimumTimeToLive())))
+                if (token == null || !token.isActive() || (token.canRefresh() && token.shouldRefresh(this.keycloakDeployment.getTokenMinimumTimeToLive())))
                 {
                     AccessTokenResponse response;
                     try
                     {
-                        if (token != null)
+                        if (token != null && token.canRefresh())
                         {
                             LOGGER.debug("Refreshing access token for Alfresco backend resource {}", alfrescoResourceName);
                             response = ServerRequest.invokeRefresh(this.keycloakDeployment, token.getRefreshToken());
                         }
                         else
                         {
-                            LOGGER.debug("Retrieving initial access token for Alfresco backend resource {}", alfrescoResourceName);
+                            LOGGER.debug("Retrieving initial / new access token for Alfresco backend resource {}", alfrescoResourceName);
                             response = this.getAccessToken(alfrescoResourceName, session);
                         }
                     }