KEYCLOAK-18949 DirectGrant login should fail if authenticationSession contains some required actions
This commit is contained in:
parent
d8cb279bc4
commit
b1d39aa136
4 changed files with 101 additions and 1 deletions
|
@ -660,7 +660,7 @@ public class TokenEndpoint {
|
|||
}
|
||||
processor.evaluateRequiredActionTriggers();
|
||||
UserModel user = authSession.getAuthenticatedUser();
|
||||
if (user.getRequiredActionsStream().count() > 0) {
|
||||
if (user.getRequiredActionsStream().count() > 0 || authSession.getRequiredActions().size() > 0) {
|
||||
// Remove authentication session as "Resource Owner Password Credentials Grant" is single-request scoped authentication
|
||||
new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authSession, false);
|
||||
event.error(Errors.RESOLVE_REQUIRED_ACTIONS);
|
||||
|
|
|
@ -0,0 +1,93 @@
|
|||
/*
|
||||
* Copyright 2021 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*/
|
||||
|
||||
package org.keycloak.testsuite.forms;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.function.Consumer;
|
||||
|
||||
import org.jboss.arquillian.drone.api.annotation.Drone;
|
||||
import org.jboss.arquillian.graphene.page.Page;
|
||||
import org.jboss.arquillian.test.api.ArquillianResource;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.keycloak.authentication.authenticators.browser.OTPFormAuthenticatorFactory;
|
||||
import org.keycloak.authentication.authenticators.directgrant.ValidatePassword;
|
||||
import org.keycloak.authentication.authenticators.directgrant.ValidateUsername;
|
||||
import org.keycloak.models.AuthenticationExecutionModel;
|
||||
import org.keycloak.representations.idm.RealmRepresentation;
|
||||
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
|
||||
import org.keycloak.testsuite.AssertEvents;
|
||||
import org.keycloak.testsuite.util.FlowUtil;
|
||||
import org.keycloak.testsuite.util.OAuthClient;
|
||||
import org.openqa.selenium.WebDriver;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
|
||||
/**
|
||||
* Test of custom configurations of DirectGrant flow (Resource Owner Password Credentials Grant)
|
||||
*
|
||||
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||
*/
|
||||
public class DirectGrantFlowTest extends AbstractTestRealmKeycloakTest {
|
||||
|
||||
@ArquillianResource
|
||||
protected OAuthClient oauth;
|
||||
|
||||
@Drone
|
||||
protected WebDriver driver;
|
||||
|
||||
@Rule
|
||||
public AssertEvents events = new AssertEvents(this);
|
||||
|
||||
@Override
|
||||
public void configureTestRealm(RealmRepresentation testRealm) {
|
||||
}
|
||||
|
||||
|
||||
private void configureDirectGrantFlowWithOTPForm(String newFlowAlias) {
|
||||
testingClient.server("test").run(session -> FlowUtil.inCurrentRealm(session).copyDirectGrantFlow(newFlowAlias));
|
||||
testingClient.server("test").run(session -> FlowUtil.inCurrentRealm(session)
|
||||
.selectFlow(newFlowAlias)
|
||||
.clear()
|
||||
.addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, ValidateUsername.PROVIDER_ID)
|
||||
.addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, ValidatePassword.PROVIDER_ID)
|
||||
.addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, OTPFormAuthenticatorFactory.PROVIDER_ID)
|
||||
.defineAsDirectGrantFlow()
|
||||
);
|
||||
}
|
||||
|
||||
// KEYCLOAK-18949
|
||||
@Test
|
||||
public void testDirectGrantLoginWithOTPFormShouldFail() throws Exception {
|
||||
configureDirectGrantFlowWithOTPForm("new-direct-grant");
|
||||
|
||||
String clientId = "direct-grant";
|
||||
String login = "test-user@localhost";
|
||||
|
||||
// User should not be able to login as there was required action added to authenticationSession by OTPFormAuthenticator
|
||||
oauth.clientId(clientId);
|
||||
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("password", login, "password", null);
|
||||
|
||||
assertEquals(400, response.getStatusCode());
|
||||
assertEquals("invalid_grant", response.getError());
|
||||
assertEquals("Account is not fully set up", response.getErrorDescription());
|
||||
}
|
||||
|
||||
|
||||
}
|
|
@ -82,6 +82,10 @@ public class FlowUtil {
|
|||
return copyFlow(DefaultAuthenticationFlows.REGISTRATION_FLOW, newFlowAlias);
|
||||
}
|
||||
|
||||
public FlowUtil copyDirectGrantFlow(String newFlowAlias) {
|
||||
return copyFlow(DefaultAuthenticationFlows.DIRECT_GRANT_FLOW, newFlowAlias);
|
||||
}
|
||||
|
||||
public FlowUtil copyFlow(String original, String newFlowAlias) {
|
||||
flowAlias = newFlowAlias;
|
||||
AuthenticationFlowModel existingBrowserFlow = realm.getFlowByAlias(original);
|
||||
|
|
|
@ -74,6 +74,9 @@ log4j.logger.org.keycloak.models.sessions.infinispan=${keycloak.infinispan.loggi
|
|||
# Enable to view details about LDAP performance operations
|
||||
# log4j.logger.org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.perf=trace
|
||||
|
||||
# Enable to view MSAD mapper logging
|
||||
#log4j.logger.org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper=trace
|
||||
|
||||
# Enable to view kerberos/spnego logging
|
||||
# log4j.logger.org.keycloak.federation.kerberos=trace
|
||||
|
||||
|
|
Loading…
Reference in a new issue