KEYCLOAK-14851: make AIA max auth age configurable per AIA
This commit is contained in:
parent
7217b597f3
commit
8597edba8e
2 changed files with 11 additions and 1 deletions
|
@ -17,6 +17,7 @@
|
|||
|
||||
package org.keycloak.authentication;
|
||||
|
||||
import org.keycloak.models.Constants;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.provider.Provider;
|
||||
import org.keycloak.sessions.AuthenticationSessionModel;
|
||||
|
@ -75,4 +76,10 @@ public interface RequiredActionProvider extends Provider {
|
|||
* @param context
|
||||
*/
|
||||
void processAction(RequiredActionContext context);
|
||||
|
||||
/**
|
||||
* Defines the max time after a user login, after which re-authentication is requested for an AIA. 0 means that re-authentication is always requested.
|
||||
*
|
||||
*/
|
||||
default int getMaxAuthAge() { return Constants.KC_ACTION_MAX_AGE; }
|
||||
}
|
||||
|
|
|
@ -20,6 +20,7 @@ import org.jboss.logging.Logger;
|
|||
import org.keycloak.OAuth2Constants;
|
||||
import org.keycloak.OAuthErrorException;
|
||||
import org.keycloak.TokenIdGenerator;
|
||||
import org.keycloak.authentication.RequiredActionProvider;
|
||||
import org.keycloak.common.util.Time;
|
||||
import org.keycloak.connections.httpclient.HttpClientProvider;
|
||||
import org.keycloak.constants.AdapterConstants;
|
||||
|
@ -376,9 +377,11 @@ public class OIDCLoginProtocol implements LoginProtocol {
|
|||
|
||||
protected boolean isReAuthRequiredForKcAction(UserSessionModel userSession, AuthenticationSessionModel authSession) {
|
||||
if (authSession.getClientNote(Constants.KC_ACTION) != null) {
|
||||
String providerId = authSession.getClientNote(Constants.KC_ACTION);
|
||||
RequiredActionProvider requiredActionProvider = this.session.getProvider(RequiredActionProvider.class, providerId);
|
||||
String authTime = userSession.getNote(AuthenticationManager.AUTH_TIME);
|
||||
int authTimeInt = authTime == null ? 0 : Integer.parseInt(authTime);
|
||||
int maxAgeInt = Constants.KC_ACTION_MAX_AGE;
|
||||
int maxAgeInt = requiredActionProvider.getMaxAuthAge();
|
||||
return authTimeInt + maxAgeInt < Time.currentTime();
|
||||
} else {
|
||||
return false;
|
||||
|
|
Loading…
Reference in a new issue