Minor ticket refresh / role permission improvements

repository/src/main/java/de/acosix/alfresco/keycloak/repo/client/IDMClientImpl.java

@@ -555,7 +555,8 @@ public class IDMClientImpl implements InitializingBean, IDMClient
         this.tokenLock.readLock().lock();
         try
         {
-            if (this.token != null && (!this.token.canRefresh() || !this.token.shouldRefresh(this.deployment.getTokenMinimumTimeToLive())))
+            if (this.token != null && this.token.isActive()
+                    && (!this.token.canRefresh() || !this.token.shouldRefresh(this.deployment.getTokenMinimumTimeToLive())))
             {
                 validToken = this.token.getToken();
             }
@@ -570,7 +571,7 @@ public class IDMClientImpl implements InitializingBean, IDMClient
             this.tokenLock.writeLock().lock();
             try
             {
-                if (this.token != null
+                if (this.token != null && this.token.isActive()
                         && (!this.token.canRefresh() || !this.token.shouldRefresh(this.deployment.getTokenMinimumTimeToLive())))
                 {
                     validToken = this.token.getToken();

repository/src/main/webscripts/de/acosix/keycloak/customisations/slingshot/documentlibrary/permissions.get.js

@@ -32,11 +32,12 @@ function process(permissions)
                 {
                     // enhance permissionObj.authority to at least add displayName
                     // may/will still look like a user in UI which only differentiates groups / users
+                    // UI does not display full authority name unless we include it in the displayName (different to authority picker)
                     permissionObj.authority = {
                         name : authority,
                         fullName : authority,
                         shortName : authority.substring(5),
-                        displayName : role.description || role.keycloakName
+                        displayName : (role.description || role.keycloakName) + ' (' + authority + ')'
                     };
                 }
             }

share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java

@@ -1168,19 +1168,19 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
                 // not really feasible to synchronise / lock concurrent refresh on token
                 // not a big problem - apart from wasted CPU cycles / latency - since each concurrently refreshed token is valid
                 // independently
-                if (token == null || (token.canRefresh() && token.shouldRefresh(this.keycloakDeployment.getTokenMinimumTimeToLive())))
+                if (token == null || !token.isActive() || (token.canRefresh() && token.shouldRefresh(this.keycloakDeployment.getTokenMinimumTimeToLive())))
                 {
                     AccessTokenResponse response;
                     try
                     {
-                        if (token != null)
+                        if (token != null && token.canRefresh())
                         {
                             LOGGER.debug("Refreshing access token for Alfresco backend resource {}", alfrescoResourceName);
                             response = ServerRequest.invokeRefresh(this.keycloakDeployment, token.getRefreshToken());
                         }
                         else
                         {
-                            LOGGER.debug("Retrieving initial access token for Alfresco backend resource {}", alfrescoResourceName);
+                            LOGGER.debug("Retrieving initial / new access token for Alfresco backend resource {}", alfrescoResourceName);
                             response = this.getAccessToken(alfrescoResourceName, session);
                         }
                     }