KEYCLOAK-14851: make AIA max auth age configurable per AIA

This commit is contained in:
zak905 2020-07-26 19:02:09 +02:00 committed by Stan Silvert
parent 7217b597f3
commit 8597edba8e
2 changed files with 11 additions and 1 deletions

View file

@ -17,6 +17,7 @@
package org.keycloak.authentication;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.provider.Provider;
import org.keycloak.sessions.AuthenticationSessionModel;
@ -75,4 +76,10 @@ public interface RequiredActionProvider extends Provider {
* @param context
*/
void processAction(RequiredActionContext context);
/**
* Defines the max time after a user login, after which re-authentication is requested for an AIA. 0 means that re-authentication is always requested.
*
*/
default int getMaxAuthAge() { return Constants.KC_ACTION_MAX_AGE; }
}

View file

@ -20,6 +20,7 @@ import org.jboss.logging.Logger;
import org.keycloak.OAuth2Constants;
import org.keycloak.OAuthErrorException;
import org.keycloak.TokenIdGenerator;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.common.util.Time;
import org.keycloak.connections.httpclient.HttpClientProvider;
import org.keycloak.constants.AdapterConstants;
@ -376,9 +377,11 @@ public class OIDCLoginProtocol implements LoginProtocol {
protected boolean isReAuthRequiredForKcAction(UserSessionModel userSession, AuthenticationSessionModel authSession) {
if (authSession.getClientNote(Constants.KC_ACTION) != null) {
String providerId = authSession.getClientNote(Constants.KC_ACTION);
RequiredActionProvider requiredActionProvider = this.session.getProvider(RequiredActionProvider.class, providerId);
String authTime = userSession.getNote(AuthenticationManager.AUTH_TIME);
int authTimeInt = authTime == null ? 0 : Integer.parseInt(authTime);
int maxAgeInt = Constants.KC_ACTION_MAX_AGE;
int maxAgeInt = requiredActionProvider.getMaxAuthAge();
return authTimeInt + maxAgeInt < Time.currentTime();
} else {
return false;